Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Incorrect login attempts should not be logged with plaintext passwords #496
Failed log in attempts to the web UI print the username and password in plain text in the log file and on the interface log. This is a completely unnecessary security risk. If I mistype my username, but enter the password correctly, someone could potentially see the password in plain text. Or, if some other application is compromised and grants access to the log file, that would enable an attacker to target nzbget.
I realize that the password is stored in the configuration file in plain text too, but that's its own, more complicated security issue.
I think just listing the username attempt should suffice. It be more useful to log the IP address of the failed attempt.
Printing any password submission in plain text is not good security practice. Even if you skipped printing the correct one, it could still reveal password information.
Suppose I enter the correct username, but typo the password by one character. That attempt would be printed. Then I enter the correct username and password immediately after. Someone with the log file would see that and could use the incorrect attempt to guess the correct password.
I really think the log should just have username and IP for successful and failed login attempts. This is what ftp servers generally do. They never print the password.