bobbingwide / oik-bwtrace

debug trace for WordPress
https://www.oik-plugins.com/oik-plugins/oik-bwtrace-debug-trace-for-wordpress/
GNU General Public License v2.0
6 stars 1 forks source link

Consider obfuscating secure information #83

Open bobbingwide opened 4 years ago

bobbingwide commented 4 years ago

There are instances where tracing could log secret information.This is not a major problem in a development environment but would be an issue in staging or live if the trace files directory is web accessible.

What are the sensible options?

  1. Disallow tracing when the trace files directory is publicly accessible.
  2. Disable tracing of transactions involving passwords.
  3. Filter password values from arrays and objects being traced
  4. Something else
bobbingwide commented 4 years ago

The password field on the WordPress login form is called pwd. At trace startup this may traced as part of the $_REQUEST and $_POST arrays.

wp-content\plugins\oik-bwtrace\includes\class-BW-trace-controller.php(414:0) trace_startup(2) 3 0 2019-12-05T10:00:56+00:00 0.002429 0.000441 cf! 15 1 0 2097152/2097152 256M F=187 _REQUEST Array
(
    [log] => username
    [pwd] => password
    [rememberme] => forever
    [wp-submit] => Log In
    [redirect_to] => https://s.b/wordpress/wp-admin/
    [testcookie] => 1
)

For Add New user, two passwords are sent in pass1 and pass2.

wp-content/plugins/oik-bwtrace/includes/class-BW-trace-controller.php(414:0) trace_startup(2) 8 0 2019-12-05T10:14:31+00:00 0.005290 0.000166 cf! 16 1 0 2097152/2097152 256M F=188 _REQUEST Array
(
    [action] => createuser
    [_wpnonce_create-user] => 2bf2e6ad18
    [_wp_http_referer] => /wordpress/wp-admin/user-new.php
    [user_login] => username@example.com
    [email] => username@example.com
    [first_name] => User
    [last_name] => Name
    [url] => https://example.com
    [pass1] => password
    [pass2] => password
    [role] => subscriber
    [ure_other_roles] => 
    [createuser] => Add New User
) 

The encrypted password is stored in the wp_users table. Tracing of the saved_queries can reveal this value when a new user is created. e.g. $P$BSXeW6bkh846/3xYHXXXBnPAL10/4b0

bobbingwide commented 4 years ago

Posts can also be password protected.