New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
password disclosure in initial setup #823
Comments
|
Hi! Thank you for your report. It looks like your report is missing some important sections of your issue template. Please complete it so that we get a better understanding of your setup and the problem to be able to fix the issue. It would be great to see what was logged. You should of course replace your real password with a random one Thank you. |
|
The missing log entry was hidden inside the Configuration array, sorry for that. I fixed the initial post. |
|
Slightly more readable version of the log entry: |
|
This can be fixed with #1093 (comment) |
|
Hi, This is a significant security bug, and is still present in nextcloud 23/mail 1.12.0, 4 years after having been raised. Is there a plan to fix this in nextcloud? and if not will it be fixed in mail? Thanks. Éibhear |
|
This is fixed on the most recent NC master. |
Steps to reproduce
Expected behaviour
Do not log in any circumstances (at least not in Log-Level 2/3) ANY passwords to disk / log file. Although the attack surface might be small (need to have access to logfile local on the NC instance), dumping passwords into logfiles that may be written somewhere else (e.g. rsyslog) is no good.
Actual behaviour
PLAINTEXT password written to logfile
Mail app
Mail app version: 0.7.10
Mailserver or service: dovecot/postfix
Number of accounts: -
Server configuration detail
Operating system: Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
Webserver: nginx/1.10.3 (fpm-fcgi)
Database: pgsql PostgreSQL 9.5.12 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609, 64-bit
PHP version: 7.0.25-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, cgi-fcgi, PDO, xml, apcu, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mcrypt, pdo_pgsql, pgsql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache
Nextcloud version: 13.0.0 - 13.0.0.14
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
Where did you install Nextcloud from: release zip
Signing status
Array
List of activated apps
Configuration (config/config.php)
Nextcloud log
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: