Passwords recorded in firewall_logs database table.

Question

Passwords recorded in firewall_logs database table.

securit opened this issue 5 years ago · 1 comments

A suggestion to remove the passwords used by users from the firewall_logs table.

Currently both the username and the attempted password are stored in clear text in the log in the request field. This is considered extremely bad security practice. The suggestion is that you remove or obfuscate the password at a minimum.

For example

_token=cbgHF2wMw2loK6nNAuEPkhyUod75roFfmjzkZGFp&email=greg@gmail.com&password=SL8dNS)@j!

Should be stored something like this:

_token=cbgHF2wMw2loK6nNAuEPkhyUod75roFfmjzkZGFp&email=greg@gmail.com&password=**********

Or

_token=cbgHF2wMw2loK6nNAuEPkhyUod75roFfmjzkZGFp&email=g***@gmail.com&password=**********

Answer 1 · 2020-02-24T22:36:25.000Z

Fixed in latest version.