search

hypery2k / owncloud

In this repo you'll find apps and enhancements for owncloud
Other
156 stars 85 forks source link

Security Issue: Password in logfile #335

Closed soerenbernstein closed 9 years ago

soerenbernstein commented 9 years ago

While trouble shooting another problem I've noticed that the log information of the roundcube addon is dumping the password in the clear.

rotdrop commented 9 years ago

I remember that once or twice such a debugging kludge accidentally slipped into the git archive through my hands. Inspecting my own logs I do not have the expression that this is still the case; can you perhaps quote one of those log-lines (but of course with the password wiped out) such that it is easier for me/us to identify the bogus line in our own log-files?

Thanks,

Claus

soerenbernstein commented 9 years ago

Here you go: Exception: {"Message":"Unable to determine network-status due to technical problems.","Code":0,"Trace":"#0 \/srv\/www\/owncloud\/htdocs\/apps\/roundcube\/lib\/RoundCubeLogin.class.php(279): OC_RoundCube_Login->sendRequest('\/roundcube\/', Array)\n#1 \/srv\/www\/owncloud\/htdocs\/apps\/roundcube\/lib\/RoundCubeApp.class.php(356): OC_RoundCube_Login->login('<username>', '<password>')\n#2 \/srv\/www\/owncloud\/htdocs\/apps\/roundcube\/lib\/RoundCubeApp.class.php(529): OC_RoundCube_App::login('owncloud.quasiw...', '', '\/roundcube\/', '<username>', '<password>')\n#3 \/srv\/www\/owncloud\/htdocs\/apps\/roundcube\/ajax\/userSettings.php(10): OC_RoundCube_App::saveUserSettings('roundcube', '<username>', '<username>', '<password>')\n#4 \/srv\/www\/owncloud\/htdocs\/lib\/private\/route\/route.php(135) : runtime-created function(1): require_once('\/srv\/www\/ownclo...')\n#5 [internal function]: __lambda_func(Array)\n#6 \/srv\/www\/owncloud\/htdocs\/lib\/private\/route\/router.php(250): call_user_func('\\x00lambda_1427', Array)\n#7 \/srv\/www\/owncloud\/htdocs\/lib\/base.php(782): OC\\Route\\Router->match('\/apps\/roundcube...')\n#8 \/srv\/www\/owncloud\/htdocs\/index.php(36): OC::handleRequest()\n#9 {main}","File":"\/srv\/www\/owncloud\/htdocs\/apps\/roundcube\/lib\/RoundCubeLogin.class.php","Line":434}

mckaygerhard commented 9 years ago

ok du u mean that the users are named "username" and the passwword in clear text are "password" right?

this i think only happened if the debbugin level are at the lowes .. let me try and i'll post feedback here

hypery2k commented 9 years ago

you can try if the error is now gone with latest master

hypery2k commented 9 years ago

is it still an issue with the latest master?

mckaygerhard commented 9 years ago

i cannot see in my log .. (and i still have the table rouncube empty)

i ask, its necesary have enabled the filesencription app of the owncloud?

soerenbernstein commented 9 years ago

I really can't say if it is still an issue because I can't produce the log entry anymore.

I don't have any file encryption enabled in owncloud.