[7.250] Directory user prefetch passwd leak [CONFIRMED]

Hi I found a security concern in the Directory user prefetch log file.
Users passwords are shown in plain text.
These passwords should be **** out or removed.
This will not pass various privacy laws etc.
But also if the firewall management is outsourced, outsourced staff can view users passwords.
Retrieving configuration
2008:07:21-12:53:52 (none) user_prefetch[21987]: connecting to confd
2008:07:21-12:53:53 (none) user_prefetch[21987]: ldap server:
2008:07:21-12:53:53 (none) user_prefetch[21987]:     server:  172.16.10.200
2008:07:21-12:53:53 (none) user_prefetch[21987]:     port:    389
2008:07:21-12:53:53 (none) user_prefetch[21987]:     ssl:     0
2008:07:21-12:53:53 (none) user_prefetch[21987]:     bind_dn: DN=administrator,CN=users,DC=*****,DC=com,DC=au
2008:07:21-12:53:53 (none) user_prefetch[21987]:     passwd:  CLEARTEXT
2008:07:21-12:53:53 (none) user_prefetch[21987]: contexts:
2008:07:21-12:53:53 (none) user_prefetch[21987]:     CN=Users,DC=****,DC=com,DC=au

Mark

Parents

0 rleibl over 17 years ago

Done. The bind password will no longer be printed to the logfile.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 rleibl over 17 years ago

Done. The bind password will no longer be printed to the logfile.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 BrucekConvergent over 17 years ago in reply to rleibl

Done. The bind password will no longer be printed to the logfile.

Good catch...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel