SEC-1285: minor vulnerability in BasicProcessingFilter #1534

Closed
spring-issuemaster opened this Issue Nov 2, 2009 · 1 comment

1 participant

@spring-issuemaster

Justin Sands (Migrated from SEC-1285) said:

In the log4j (at debug level) output I see the authorization header when the BasicProcessingFilter authentication filter is used:
Authorization header: Basic cGVhY2gucmVkLmludGVybmFsOmFsZ3Bhc3N3b3Jk

This information contains the username and password, simply obfuscated in base64; the username and password of any user can be discovered from the log4j logs. The proper behavior would be to remove the logging, or make it optional via an optional flag set on the BasicProcessingFilter. Right now it is not possible to change the behavior via configuration or sub-classing since it happens as part of doFilterHttp() which also implements the ore functionality.

@spring-issuemaster

Luke Taylor said:

We wouldn't class this as a vulnerability since it is a matter of debug logging configuration. There are many ways in which a system can be can be configured to log sensitive information, but which would be regarded as vulnerabilities per se. However, it doesn't seem essential that the full authentication header is logged by this filter, so I've modified the output to prevent output of the header value. Instead, just the username will be logged, prior to authenticating.

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment