topic Warning usernames and passwords stored in clear text of the apache logs when testing with ldap in Expedition Discussions

Warning usernames and passwords stored in clear text of the apache logs when testing with ldap

psuJohn — Wed, 19 Sep 2018 19:43:54 GMT

Warning if you use the test button next to an ldap server the userid and password are stored in clear text in /var/log/apache2/access.log since they are passed in the URL.

Example:

<IP> - - [19/Sep/2018:14:28:22 -0500] "GET /bin/authentication/servers/loginServers.php?_dc=1537385302801&id=1&type=LDAP&action=test&admin_user=<userid>&admin_
password=<password> HTTP/1.1" 200 749

this is on version 1.0.105

Re: Warning usernames and passwords stored in clear text of the apache logs when testing with ldap

alestevez — Thu, 20 Sep 2018 10:24:47 GMT

Hi, Good catch. We will move the request from GET to POST to avoid Apache logs stores the credentials.

<Remember> you are the owner of your Expedition VM and no one else has access to it other than you.

Thanks for let us know and help us to improve Expedition.

Re: Warning usernames and passwords stored in clear text of the apache logs when testing with ldap

psuJohn — Thu, 20 Sep 2018 13:13:12 GMT

Not disagreeing it is my expedition server, but if you are doing log forwarding or at a minium whomever has access to the cli has access to the logs until it gets rotated out and deleted. ( I haven't checked the logrotate settings)

Might I also suggest when you change that auth test to a post you also purge the apache2 accept logs or at least the values in those logs?

Re: Warning usernames and passwords stored in clear text of the apache logs when testing with ldap

alestevez — Sat, 22 Sep 2018 06:27:04 GMT

When we move to post the values will not be stored in the logs anymore and by now how you are root you can just remove your logs from

sudo cd /var/log/apache2/
sudo rm -rf access.log*
sudo rm -rf error.log*

That will remove all your current logs.