Passwords recorded in firewall_logs database table.
securit opened this issue · 1 comments
securit commented
A suggestion to remove the passwords used by users from the firewall_logs table.
Currently both the username and the attempted password are stored in clear text in the log in the request field. This is considered extremely bad security practice. The suggestion is that you remove or obfuscate the password at a minimum.
For example
_token=cbgHF2wMw2loK6nNAuEPkhyUod75roFfmjzkZGFp&email=greg@gmail.com&password=SL8dNS)@j!
Should be stored something like this:
_token=cbgHF2wMw2loK6nNAuEPkhyUod75roFfmjzkZGFp&email=greg@gmail.com&password=**********
Or
_token=cbgHF2wMw2loK6nNAuEPkhyUod75roFfmjzkZGFp&email=g***@gmail.com&password=**********
denisdulici commented
Fixed in latest version.