Warning if you use the test button next to an ldap server the userid and password are stored in clear text in /var/log/apache2/access.log since they are passed in the URL.
<IP> - - [19/Sep/2018:14:28:22 -0500] "GET /bin/authentication/servers/loginServers.php?_dc=1537385302801&id=1&type=LDAP&action=test&admin_user=<userid>&admin_
password=<password> HTTP/1.1" 200 749
this is on version 1.0.105
Hi, Good catch. We will move the request from GET to POST to avoid Apache logs stores the credentials.
<Remember> you are the owner of your Expedition VM and no one else has access to it other than you.
Thanks for let us know and help us to improve Expedition.
Not disagreeing it is my expedition server, but if you are doing log forwarding or at a minium whomever has access to the cli has access to the logs until it gets rotated out and deleted. ( I haven't checked the logrotate settings)
Might I also suggest when you change that auth test to a post you also purge the apache2 accept logs or at least the values in those logs?
When we move to post the values will not be stored in the logs anymore and by now how you are root you can just remove your logs from
sudo cd /var/log/apache2/ sudo rm -rf access.log* sudo rm -rf error.log*
That will remove all your current logs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!