Fusiondirectory exposes bindpw on error
Fusiondirectory exposes bindpw on error
Hi,
today i got some problems with my fusiondirectory. I tried to login but was welcome with some Error messages from PHP (that's not the problem, or at least not yet ^^)
The problem is, that the PHP error messages also contained the ldap_init with the full bindpw in cleartext. (see a image attached)
I think this is realy bad. The password should at least be stared out.
Hopefully you can do something about this :)
Sincerely, Tobias Göbel
(from redmine: issue id 4764, created on 2016-05-04, closed on 2016-06-09)
- Changesets:
- Revision 0fdf2815 by Côme Chilliet on 2016-05-26T09:21:13.000Z:
Fixes #4764 Hide passwords from error traces- Revision 5af257fa by Côme Chilliet on 2016-05-30T06:28:03.000Z:
Fixes #4764 Hide passwords from error traces- Custom Fields:
- Bug in version: 1.0.12
- Uploads:
Activity
So, I added a system to hide parameters of some functions from debug trace. For now these are:
static $hideArgs = array( 'ldap_init' => array(3), 'ldap_login_user' => array(1), 'change_password' => array(1), 'cred_decrypt' => array(0,1), 'LDAP/__construct' => array(1), );The array contains the indices of parameters to hide. Do you know of any other method which should hide some parameters from trace?
(from redmine: written on 2016-05-30)
By Côme Chilliet on 2017-09-02T15:28:45 (imported from GitLab)
added Security label
By bmortier on 2018-10-04T19:23:10 (imported from GitLab)
added fusiondirectory-core label and removed Bugs label
added FSA-0009 label
