DEBUG logging shows user inputted pw

XMLWordPrintable

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      Steps to reproduce:
      • Integrate JIRA with Crowd for user management
      • Within JIRA's administration panel, set DEBUG logging on the 'Default' level:
      • Log into JIRA as any Crowd user (in this case testuser / testpw)
      • Notice this appear in both catalina.out and atlassian-jira.log: 
        2011-12-19 09:45:35,356 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "POST /crowd/rest/usermanagement/1/authentication?username=testuser HTTP/1.1[\r][\n]"
2011-12-19 09:45:35,356 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [apache.commons.httpclient.HttpMethodBase] Adding Host request header
2011-12-19 09:45:35,356 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "Accept: application/xml[\r][\n]"
2011-12-19 09:45:35,356 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "Authorization: Basic amlyYTphZG1pbg==[\r][\n]"
2011-12-19 09:45:35,356 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "User-Agent: Jakarta Commons-HttpClient/3.0.1[\r][\n]"
2011-12-19 09:45:35,356 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "Host: dahmer:6095[\r][\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "Cookie: $Version=0; JSESSIONID=346FF0812172877D5A48BFB90296B2E7; $Path=/crowd[\r][\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "Content-Length: 105[\r][\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "Content-Type: application/xml[\r][\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.header] >> "[\r][\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.content] >> "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>[\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.content] >> "<password>[\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.content] >> "    <value>testpw</value>[\n]"
2011-12-19 09:45:35,357 http-6060-11 DEBUG anonymous 585x185x1 r8vzf 192.168.15.171 /rest/gadget/1.0/login [httpclient.wire.content] >> "</password>[\n]"
      • The above contains both the testuser and testpw in plain text.
      • Note that it shows the password inputted by the user, which may or may not be the real pw, but in most cases users will have inputted the real pw.
      Workaround

      Modify the log4j.properties file and adding:

      log4j.logger.httpclient.wire=WARN

        1. Default Logging - DEBUG.jpg
          Default Logging - DEBUG.jpg
          35 kB

              Assignee:
              Unassigned
              Reporter:
              David Chan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: