Why are plaintext passwords written to the logfile?

I’m not a security expert, but I would consider passwords written in plaintext to the logfile being a security problem!

Every time a user fails to login the typed password is dumped to the logfile in plaintext. So there are a number potential issues with this:

  • If the user misspelled his username (which is not secret) the password ready to use.
  • If the user misspelled his password, the real password could be very easy to guess.
  • The user thought he was logging in to another system (facebook, google, …) and all of a sudden he exposed his credentials to that system.
  • The list goes on and on …

We are running RT442 on Ubuntu 16.04 without any specific configuration that I think should produce this behaviour. So I guess it’s the default behaviour. If not then what are we doing wrong? I think that this behaviour should not be possible to get even by accident or bad configuration!

This might be fixed in RT444, I don’t know.

This is from my logfile when I try to login the nonexisting user gurka with the password XXXXX:

[8467] [Thu Dec 12 08:36:40 2019] [error]: FAILED LOGIN for gurka from (/storage/_rt/rt442/sbin/../lib/RT/Interface/Web.pm:826)
Trace begun at /storage/_rt/rt442/sbin/../lib/RT.pm line 308
Log::Dispatch::__ANON__('Log::Dispatch=HASH(0x1edf940)', 'FAILED LOGIN for gurka from') called at /storage/_rt/rt442/sbin/../lib/RT/Interface/Web.pm line 826
RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x9945b20)') called at /storage/_rt/rt442/share/html/NoAuth/Login.html line 49
HTML::Mason::Commands::__ANON__('user', 'gurka', 'next', '039c0fb75e21bc16012a503e29e47a57', 'pass', 'XXXXX') called at /usr/local/share/perl/5.22.1/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x98a78c0)', 'user', 'gurka', 'next', '039c0fb75e21bc16012a503e29e47a57', 'pass', 'XXXXX') called at /usr/local/share/perl/5.22.1/HTML/Mason/Request.pm line 1302

What are your log settings in your RT_SiteConfig.pm file? Doing a quick test with logging set to debug, I do not see this sort of output

Nothing controversial I would say:

# Logging
Set($LogToSyslog, undef);
Set($LogToScreen, 'error');
Set($LogToFile, 'info');
Set($LogDir, '/storage/_rt/logs');
Set($LogToFileNamed, "rt.log");
Set($LogStackTraces, 'error');


If set to a log level then logging will include stack traces for messages with level equal to or greater than specified.

NOTICE: Stack traces include parameters supplied to functions or methods. It is possible for stack trace logging to reveal sensitive information such as passwords or ticket content in your logs.

I’d say if you don’t need it don’t use the stacktrace config option


1 Like