search

nextcloud / sharepoint

💾 Nextcloud SharePoint Backend for External storages
https://apps.nextcloud.com/apps/sharepoint
GNU Affero General Public License v3.0
25 stars 18 forks source link

SECURITY : app log messages reveal unobfuscated (clear-text) credentials #142

Closed didierm closed 2 years ago

didierm commented 2 years ago

When watching the NextCloud logs (NC v21), it is observed that the SharePoint Backend app (v1.9.1) logs the Sharepoint credentials (as entered in the External storages configuration) in cleartext.

Only part of the arguments have their parameter(s) replaced by the string *** sensitive parameters replaced ***.

For an example, please refer to the log extract in https://github.com/nextcloud/sharepoint/issues/141#issuecomment-1195781505 . In that example, username, password, email and tenant (of which username and password are critically important) were manually replaced by 

***username_manually_obfuscated***
***password_manually_obfuscated***
***email_manually_obfuscated***
***tenant_manually_obfuscated***
blizzz commented 2 years ago

fixed in https://github.com/nextcloud/sharepoint/pull/143 for upcoming 25

and in https://github.com/nextcloud/server/pull/33689 for 24. Backports down to 22 follow.

blizzz commented 2 years ago

fixed in https://github.com/nextcloud/sharepoint/pull/143 for upcoming 25

and in https://github.com/nextcloud/server/pull/33689 for 24. Backports down to 22 follow.