Database password is printed in logfile when DEBUG logging is enabled

Reported by Nhomar - Vauxoo on 2011-09-20
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenERP Server
Wishlist
OpenERP's Framework R&D

Bug Description

This is a real big security issue, this information NEVER should go to log.

The server is printing: db.connection_pool:ConnectionPool(used=0/count=0/max=64): Close all connections to 'port=5434 user=DBUSER password=PASSWORD dbname=tr3'

Where "DBUSER" AND "PASSWORD" ARE THE REAL ONES.

server revno: 3633.

On Tuesday 20 September 2011, you wrote:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> This is a real big security issue, this information NEVER should go to
> log.
>
> The server is printing:
> db.connection_pool:ConnectionPool(used=0/count=0/max=64): Close all
> connections to 'port=5434 user=DBUSER password=PASSWORD dbname=tr3'
>

Well, it is not critical IMHO..

In terms of security, you shouldn't have used a password (alone) as means of
authenticating to the postgres database.

The reason is, that this password is unconditionally accessible by the user
running the openerp server. That is, any module, any python eval()'ed snippet
could read this password and send it out. The fact that one log file, also
belonging to the same user, contains that password, is no less secure than
"openerp-server.conf" itself.

Moreover, this information is only logged when pooler is at 'debug' log-level.
This means that the admin of the system wishes to log too much information,
which shouldn't happen in a production machine anyway.

Therefore, I'd like to reduce the severity of this bug.
Yes, I agree that no password should be logged in plaintext, but this one is
not our weak point.

I agree with xrg, this is definitely not a critical issue if you think about it for a minute. And by the way, the database password is not likely to be a kind of personal gmail/facebook password.

I can see this as a wishlist, but not more than that. If you really want to avoid leaking the database password in all circumstances, you should setup the postgres connection without any password, for example using UNIX sockets and ident authentication.

Changed in openobject-server:
importance: Critical → Wishlist
milestone: 6.1 → none
status: New → Confirmed
security vulnerability: yes → no
visibility: private → public
Changed in openobject-server:
assignee: nobody → OpenERP's Framework R&D (openerp-dev-framework)
summary: - [TRUNK] Whn you delete a DB psql password is printed on log
+ Database password is printed in logfile when DEBUG logging is enabled
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers