Password dumped to stderr

[xDaizu]

I found this error in my Apache error log:

[Tue May 17 09:53:49.402541 2016] [fcgid:warn] [pid 742] [client 258.258.258.332:54031] mod_fcgid: stderr: #2 /home/acme000/domains/manager.acme.com/public_html/vendor/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(356): Doctrine\DBAL\Driver\PDOMySql\Driver->connect(Array, 'acme000', 'myverysecurepassword', Array), referer: http://manager.acme.com/student

I'm not sure if this is the right place to report this, or if it's even reportable, but should the plain-text password be dumped, even if it's a fairly "secure" environment? It's still a password in plain text in a plain text file... that smells a bit insecure... doesn't it?

[Ocramius]

This can't be avoided by a tool/library/etc.

Your config (coming from the environment or similar) contains sensitive info.
This info needs to transit (somehow) to the actual location in the code where connections and similar are executed.

This transit of information is unavoidable, and your config will be in the stack frames. When an exception is thrown, the stack frames are captured into a stack trace, which will also contain your configuration (depending on the error reporting configuration for your system)

Here's what you can do to mitigate this:

• filter logs before storing them or sending them over the wire
• make logs available only to people with security clearing for the impact level (IL) your application has
• make passwords just one of the bits required for authentication (ip restriction, VPN, etc to be used)
• make sure logs are only in protected areas of the system, accessible only by privileged personnel

Closing as invalid.

[xDaizu]

My apologies.

As I said, I didn't even know if this was reportable or if anything could be done. Of course, the logs are already in a secure environment, very restricted.

Thanks for your thorough answer, though 👍