WordOps icon indicating copy to clipboard operation
WordOps copied to clipboard

Published 20 hours ago verified publisher icon WordOps

Issue regarding logging sensitive information

Open nevercodecorrect opened this issue 1 year ago • 3 comments
trafficstars

Hello, While playing with the tool, I noticed that sensitive information like wordpress password will be logged which could be a potential security issue described in CWE-200. The problematic code is located in here, I am wondering if this is an intended behavior.

nevercodecorrect avatar Jan 19 '24 01:01 nevercodecorrect

Hello @nevercodecorrect, I agree the python classes name are not really good, but in this example, Log.info will display credentials to the user but with log=False to not keep those credentials in /var/log/wo/wordops.log. Let me know if it's still a security issue.

VirtuBox avatar Jan 19 '24 18:01 VirtuBox

Hello @VirtuBox , thanks for the reply. This could still be a security issue although this is not that critical. There is one existing case, it uses logger.info() to print key to stderr. Or there is another example described in CodeQL

nevercodecorrect avatar Jan 20 '24 01:01 nevercodecorrect

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Mar 03 '24 02:03 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Mar 09 '24 01:03 github-actions[bot]