There are multiple information leaks in cms-dev/cms

[niuzhi]

1.file: cms/cmscontrib/AddAdmin.py function:add_admin Log information disclosure username and password

[NhatMinh0208]

Uhmmmmmm...... that's normal. It's where the cmsAddAdmin script reminds you of the login info for the admin account you just created. That does not constitute a leak.

[MaGaroo]

I'm not sure about it but is it really normal to log plain text passwords?

In this special case I think it's ok since logger.info is being used as a normal stdout print statement. Also there must be a way to let the user know the randomly generated password.

@niuzhi Do you have a more secure way in mind to do this?

[wil93]

I agree that we could at least log the password only when it gets randomly generated (i.e. the password is None case) and skip showing it when it's provided (i.e. when we call cmsAddAdmin ... -p thepassword)