You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure if this is the right place to report this, or if it's even reportable, but should the plain-text password be dumped, even if it's a fairly "secure" environment? It's still a password in plain text in a plain text file... that smells a bit insecure... doesn't it?
The text was updated successfully, but these errors were encountered:
Your config (coming from the environment or similar) contains sensitive info.
This info needs to transit (somehow) to the actual location in the code where connections and similar are executed.
This transit of information is unavoidable, and your config will be in the stack frames. When an exception is thrown, the stack frames are captured into a stack trace, which will also contain your configuration (depending on the error reporting configuration for your system)
Here's what you can do to mitigate this:
filter logs before storing them or sending them over the wire
make logs available only to people with security clearing for the impact level (IL) your application has
make passwords just one of the bits required for authentication (ip restriction, VPN, etc to be used)
make sure logs are only in protected areas of the system, accessible only by privileged personnel
As I said, I didn't even know if this was reportable or if anything could be done. Of course, the logs are already in a secure environment, very restricted.
I found this error in my Apache error log:
I'm not sure if this is the right place to report this, or if it's even reportable, but should the plain-text password be dumped, even if it's a fairly "secure" environment? It's still a password in plain text in a plain text file... that smells a bit insecure... doesn't it?
The text was updated successfully, but these errors were encountered: