Re: [hylafax-users] password disclosure

[Aidan Van Dyk <aidan@xxxxxxxx>]

* Willy Offermans <Willy@xxxxxxxxxxxxxxxxxxx> [071115 09:26]:
> Dear HylaFAX friends,
> 
> After upgrade to hylafax-4.3.4 on FreeBSD 6.2 I have found following
> messages in /var/log/messages/
> 
> Nov 15 15:15:31 sun HylaFAX[93545]: PAM checking user "patrick" pass "(null)" from "192.168.1.61"
> Nov 15 15:15:31 sun HylaFAX[93545]: PAM checking user "patrick" pass "test" from "192.168.1.61"
> 
> Password test is the __actual__ password of user patrick. I do not
> think it is a good idea to disclosure passwords in /var/log/messages/
> in general, unless explicitly asked for or set in a configuration file.

I agree - that probalby shouldn't have been left in ithere... It appears
to have been a debug log that wasn't removed.  The following patch fixes
it:

diff --git a/hfaxd/PAM.c++ b/hfaxd/PAM.c++
index 6bfa661..fae7083 100644
--- a/hfaxd/PAM.c++
+++ b/hfaxd/PAM.c++
@@ -110,7 +110,6 @@ bool do_pamcheck(const char* user, const char* passwd, const char* remoteaddr)
      * The effective uid must be privileged enough to
      * handle whatever the PAM module may require.
      */
-logWarning("PAM checking user \"%s\" pass \"%s\" from \"%s\"", user, passwd, remoteaddr);
     bool retval = false;
     uid_t ouid = geteuid();
     (void) seteuid(0);



-- 
Aidan Van Dyk                                             aidan@xxxxxxxx
Senior Software Developer                          +1 215 825-8700 x8103
iFAX Solutions, Inc.                                http://www.ifax.com/

Attachment: signature.asc
Description: Digital signature