Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY : app log messages reveal unobfuscated (clear-text) credentials #142

Closed
didierm opened this issue Jul 26, 2022 · 2 comments
Closed
Assignees

Comments

@didierm
Copy link

didierm commented Jul 26, 2022

When watching the NextCloud logs (NC v21), it is observed that the SharePoint Backend app (v1.9.1) logs the Sharepoint credentials (as entered in the External storages configuration) in cleartext.

Only part of the arguments have their parameter(s) replaced by the string *** sensitive parameters replaced ***.

For an example, please refer to the log extract in #141 (comment) .
In that example, username, password, email and tenant (of which username and password are critically important) were manually replaced by

***username_manually_obfuscated***
***password_manually_obfuscated***
***email_manually_obfuscated***
***tenant_manually_obfuscated***
@didierm didierm changed the title SECURITY : app logs reveal unobfuscated (clear-text) credentials SECURITY : app log messages reveal unobfuscated (clear-text) credentials Jul 26, 2022
@blizzz blizzz self-assigned this Jul 28, 2022
@blizzz
Copy link
Member

blizzz commented Aug 25, 2022

fixed in #143 for upcoming 25

and in nextcloud/server#33689 for 24. Backports down to 22 follow.

1 similar comment
@blizzz
Copy link
Member

blizzz commented Aug 25, 2022

fixed in #143 for upcoming 25

and in nextcloud/server#33689 for 24. Backports down to 22 follow.

@blizzz blizzz closed this as completed Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants