I’m not a security expert, but I would consider passwords written in plaintext to the logfile being a security problem!
Every time a user fails to login the typed password is dumped to the logfile in plaintext. So there are a number potential issues with this:
- If the user misspelled his username (which is not secret) the password ready to use.
- If the user misspelled his password, the real password could be very easy to guess.
- The user thought he was logging in to another system (facebook, google, …) and all of a sudden he exposed his credentials to that system.
- The list goes on and on …
We are running RT442 on Ubuntu 16.04 without any specific configuration that I think should produce this behaviour. So I guess it’s the default behaviour. If not then what are we doing wrong? I think that this behaviour should not be possible to get even by accident or bad configuration!
This might be fixed in RT444, I don’t know.
This is from my logfile when I try to login the nonexisting user gurka with the password XXXXX:
[8467] [Thu Dec 12 08:36:40 2019] [error]: FAILED LOGIN for gurka from 192.168.115.186 (/storage/_rt/rt442/sbin/../lib/RT/Interface/Web.pm:826)
Trace begun at /storage/_rt/rt442/sbin/../lib/RT.pm line 308
Log::Dispatch::__ANON__('Log::Dispatch=HASH(0x1edf940)', 'FAILED LOGIN for gurka from 192.168.115.186') called at /storage/_rt/rt442/sbin/../lib/RT/Interface/Web.pm line 826
RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x9945b20)') called at /storage/_rt/rt442/share/html/NoAuth/Login.html line 49
HTML::Mason::Commands::__ANON__('user', 'gurka', 'next', '039c0fb75e21bc16012a503e29e47a57', 'pass', 'XXXXX') called at /usr/local/share/perl/5.22.1/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x98a78c0)', 'user', 'gurka', 'next', '039c0fb75e21bc16012a503e29e47a57', 'pass', 'XXXXX') called at /usr/local/share/perl/5.22.1/HTML/Mason/Request.pm line 1302