Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect login attempts should not be logged with plaintext passwords #496

Closed
kaysond opened this issue Jan 20, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@kaysond
Copy link

commented Jan 20, 2018

Failed log in attempts to the web UI print the username and password in plain text in the log file and on the interface log. This is a completely unnecessary security risk. If I mistype my username, but enter the password correctly, someone could potentially see the password in plain text. Or, if some other application is compromised and grants access to the log file, that would enable an attacker to target nzbget.

I realize that the password is stored in the configuration file in plain text too, but that's its own, more complicated security issue.

I think just listing the username attempt should suffice. It be more useful to log the IP address of the failed attempt.

@hugbug

This comment has been minimized.

Copy link
Member

commented Jan 20, 2018

IP is already logged (in the latest testing version at least).
It is nice to see login attempts, usually with standard or simple passwords.

Would be not printing of password if it was a correct one resolve the issue?

@hugbug hugbug added the improvement label Jan 20, 2018

@kaysond

This comment has been minimized.

Copy link
Author

commented Jan 20, 2018

Printing any password submission in plain text is not good security practice. Even if you skipped printing the correct one, it could still reveal password information.

Suppose I enter the correct username, but typo the password by one character. That attempt would be printed. Then I enter the correct username and password immediately after. Someone with the log file would see that and could use the incorrect attempt to guess the correct password.

I really think the log should just have username and IP for successful and failed login attempts. This is what ftp servers generally do. They never print the password.

@hamiltont

This comment has been minimized.

Copy link

commented Jan 21, 2018

Chiming in: Seeing a password in my log files was unpleasant! Especially since it was a password that was accidentally entered into the wrong htaccess box during some configuration testing. Seeing the username would have been enough to know what had happened

@hugbug hugbug added this to the v20 milestone Jan 25, 2018

hugbug added a commit that referenced this issue Jan 25, 2018

@hugbug

This comment has been minimized.

Copy link
Member

commented Jan 25, 2018

That's how it's printed now:

WARNING Request received on port 6790 from 127.0.0.1, but username (admin) or password invalid

@hugbug hugbug closed this Jan 25, 2018

@kaysond

This comment has been minimized.

Copy link
Author

commented Jan 26, 2018

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.