go-admin icon indicating copy to clipboard operation
go-admin copied to clipboard

Published 20 hours ago verified publisher icon GoAdminGroup

[BUG] Passwords are logged when setting OperationLogOff to false

Open Stoakes opened this issue 2 years ago • 2 comments

Bug Description [describe the bug in detail]

Hello, When setting OperationLogOff to false (which is the default value), passwords are logged in GoAdmin operation log. This leaks any user password.

How to reproduce [describe the steps how to reproduce the bug]

  1. Create a new goadmin instance
  2. Connect as admin
  3. Create a new user account and defined their password
  4. Log as newly created user, browse to settings and edit your password
  5. Browse to /admin/info/op
  6. You can see the different passwords in logged payload

Expect [describe your expect result]

Passwords are not logged or are redacted from log.

Versions

  • GoAdmin version: 1.2.23

I can open a merge request fixing this issue, I'd just like your opinion on what would be the best way to proceed:

  • inspect payload and redact password fields
  • avoid login form data for some URLs.
  • other

Thanks in advance for your answer.

Stoakes avatar Mar 24 '22 10:03 Stoakes

After some additional tests and digging into the code, I feel like the OperationLogOff config parameter is anyway not injected into github.com/GoAdminGroup/go-admin/plugins/admin/controller.Handler configuration.

Stoakes avatar Mar 24 '22 15:03 Stoakes

+1

thenick775 avatar Apr 17 '23 05:04 thenick775