Spring Security
  1. Spring Security
  2. SEC-1285

minor vulnerability in BasicProcessingFilter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0.RC2
    • Component/s: Web
    • Labels:
      None

      Description

      In the log4j (at debug level) output I see the authorization header when the BasicProcessingFilter authentication filter is used:
      Authorization header: Basic cGVhY2gucmVkLmludGVybmFsOmFsZ3Bhc3N3b3Jk

      This information contains the username and password, simply obfuscated in base64; the username and password of any user can be discovered from the log4j logs. The proper behavior would be to remove the logging, or make it optional via an optional flag set on the BasicProcessingFilter. Right now it is not possible to change the behavior via configuration or sub-classing since it happens as part of doFilterHttp() which also implements the ore functionality.

        Activity

        Hide
        Luke Taylor added a comment -

        We wouldn't class this as a vulnerability since it is a matter of debug logging configuration. There are many ways in which a system can be can be configured to log sensitive information, but which would be regarded as vulnerabilities per se. However, it doesn't seem essential that the full authentication header is logged by this filter, so I've modified the output to prevent output of the header value. Instead, just the username will be logged, prior to authenticating.

        Show
        Luke Taylor added a comment - We wouldn't class this as a vulnerability since it is a matter of debug logging configuration. There are many ways in which a system can be can be configured to log sensitive information, but which would be regarded as vulnerabilities per se. However, it doesn't seem essential that the full authentication header is logged by this filter, so I've modified the output to prevent output of the header value. Instead, just the username will be logged, prior to authenticating.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Justin Sands
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: