[cas-dev] CAS 3.0.6 Debug Log Level Shows Cleartext Passwords
Marvin S. Addison
serac at vt.edu
Tue Feb 20 11:03:03 EST 2007
We discovered this when deploying CAS 3.0.6 to our development
environment where we default all Java apps to the DEBUG log level. We
were surprised to see cleartext passwords emanating from the debug
messages of org.jasig.cas.web.flow:
2007-01-22 09:31:46,008 [http-8443-3] DEBUG
org.jasig.cas.web.flow.AuthenticationViaFormAction - Binding allowed
request parameters in map['lt' ->
'_c60501CDD-D676-9EBF-F087-91E640996F6A_k2198D848-333C-14F1-98CA-A535785240C5', 'service' -> array<String>['*****'], '_eventId' -> 'submit', 'password' -> '******', 'submit' -> 'submit', 'username' -> '****'] to form object with name 'credentials', pre-bind formObject toString = null
There is no statement in AuthenticationViaFormAction that generates this
message, so presumably it's generated by the subclass
org.springframework.webflow.action.FormAction.
Although the log4j.properties shipped with CAS has a default INFO value
that would prevent the display of the above sensitive information, it is
not documented that the DEBUG level on the flow package would disclose
this information. We recommend that the file be updated to include a
warning of sensitive information disclosure for this level:
log4j.logger.org.jasig=INFO
#log4j.logger.org.jasig.cas.authentication=DEBUG
# WARNING: Setting the entire flow package to DEBUG level will display
# the parameters posted to the login servlet including cleartext
# authentication credentials
#log4j.logger.org.jasig.cas.web.flow=DEBUG
#log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG
#log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG
#log4j.logger.org.org.jasig.cas.services=DEBUG
Marvin
--
Applications Programming Analyst
Collaborative Technologies Unit
Virginia Tech
More information about the cas-dev
mailing list