[wp-trac] [WordPress Trac] #10699: Password Expose Bug in XML-RPC Debugging
WordPress Trac
wp-trac at lists.automattic.com
Sat Aug 29 01:46:43 UTC 2009
#10699: Password Expose Bug in XML-RPC Debugging
--------------------------+-------------------------------------------------
Reporter: keithdsouza | Owner: josephscott
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: XML-RPC | Version:
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
Though this may not effect many users, I was testing something through
xmlrpc with logging enabled and came across something that might create a
security problem.
If xmlrpc logging is enabled WP logs the password from the request struct
in an unencrypted format.
Now I understand that not many will open up xmlrpc logging on production
blogs, could it be possible that WP just strikes out the password before
logging it to the file as it is always the third param so easy to do that,
this is because people who might have xmlrpc logging enabled may not
change the default log filename and location so anyone can simply run a
robot to check for http://blogurl.com/xmlrpc.log and farm passwords (now
this may not affect blogs that have WP installed in root since it writes
to ../xmlrpc.log, so essentially outside the www access dir, but blogs
with WP installed in sub directories will be affected).
Don't know how critical this is as users have to manually edit the file to
enable xmlrpc logging so it might be a non critical bug.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10699>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list