[cas-dev] CAS 3.0.6 Debug Log Level Shows Cleartext Passwords

Scott Battaglia scott.battaglia at gmail.com
Tue Feb 20 11:13:32 EST 2007 

Marvin,

We do include a statement about the passwords:

# WARNING: Setting the org.springframework logger to DEBUG displays
debug information about
# the request parameter values being bound to the command objects.
This could expose your
# password in the log file.  If you are sharing your log files, it is
recommend you selectively
# apply DEBUG level logging on a an org.springframework.* package
level (i.e. org.springframework.dao)

Is this not sufficient?

Thanks
-Scott



On 2/20/07, Marvin S. Addison <serac at vt.edu> wrote:
>
> We discovered this when deploying CAS 3.0.6 to our development
> environment where we default all Java apps to the DEBUG log level.  We
> were surprised to see cleartext passwords emanating from the debug
> messages of org.jasig.cas.web.flow:
>
> 2007-01-22 09:31:46,008 [http-8443-3] DEBUG
> org.jasig.cas.web.flow.AuthenticationViaFormAction  - Binding allowed
> request parameters in map['lt' ->
> '_c60501CDD-D676-9EBF-F087-91E640996F6A_k2198D848-333C-14F1-98CA-A535785240C5',
> 'service' -> array<String>['*****'], '_eventId' -> 'submit', 'password' ->
> '******', 'submit' -> 'submit', 'username' -> '****'] to form object with
> name 'credentials', pre-bind formObject toString = null
>
> There is no statement in AuthenticationViaFormAction that generates this
> message, so presumably it's generated by the subclass
> org.springframework.webflow.action.FormAction.
>
> Although the log4j.properties shipped with CAS has a default INFO value
> that would prevent the display of the above sensitive information, it is
> not documented that the DEBUG level on the flow package would disclose
> this information.  We recommend that the file be updated to include a
> warning of sensitive information disclosure for this level:
>
> log4j.logger.org.jasig=INFO
> #log4j.logger.org.jasig.cas.authentication=DEBUG
> # WARNING: Setting the entire flow package to DEBUG level will display
> # the parameters posted to the login servlet including cleartext
> # authentication credentials
> #log4j.logger.org.jasig.cas.web.flow=DEBUG
> #log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG
> #log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG
> #log4j.logger.org.org.jasig.cas.services=DEBUG
>
> Marvin
> --
> Applications Programming Analyst
> Collaborative Technologies Unit
> Virginia Tech
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070220/ae5421b3/attachment.html

More information about the cas-dev mailing list