Is it OK to display the password in the logs?

This topic contains 1 reply, has 2 voices, and was last updated by  EVILRipper 7 years, 12 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #2905


    Hello, since I was having problems with mt-daapd svn-1696 I decided to ask it to log everything, log level 9 (the most detailed).

    OS: Kubuntu 8.04
    Architecture: i686

    Searching through the logs to get to the relevant parts, I stumbled across the lines that showed the login details encrypted and then in real text!

    Surely, I understand what the purpose of debugging is, but still!

    2009-05-29 01:51:55 (b741cb90): Preparing to decode YWRtaW46bXQtZGFhcGQ=
    2009-05-29 01:51:55 (b741cb90): Decoded admin:mt-daapd
    2009-05-29 01:51:55 (b741cb90): Decoded user=admin, pw=mt-daapd
    2009-05-29 01:51:55 (b741cb90): in main_auth
    2009-05-29 01:51:55 (b741cb90): Checking url /config.html
    2009-05-29 01:51:55 (b741cb90): Checking url /config.html
    2009-05-29 01:51:55 (b741cb90): Dispatching auth for /config.html to config auth
    2009-05-29 01:51:55 (b741cb90): Added *HTTP_USER=admin*
    2009-05-29 01:51:55 (b741cb90): Added *HTTP_PASSWD=mt-daapd*


    True, you have a point. However, the person that has access to the log probably also has access to the .conf file. Which also contains the password in text.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.
Register here