Password Expose Bug in XML-RPC Debugging
|Reported by:||keithdsouza||Owned by:||ryan|
Though this may not effect many users, I was testing something through xmlrpc with logging enabled and came across something that might create a security problem.
If xmlrpc logging is enabled WP logs the password from the request struct in an unencrypted format.
Now I understand that not many will open up xmlrpc logging on production blogs, could it be possible that WP just strikes out the password before logging it to the file as it is always the third param so easy to do that, this is because people who might have xmlrpc logging enabled may not change the default log filename and location so anyone can simply run a robot to check for http://blogurl.com/xmlrpc.log and farm passwords (now this may not affect blogs that have WP installed in root since it writes to ../xmlrpc.log, so essentially outside the www access dir, but blogs with WP installed in sub directories will be affected).
Don't know how critical this is as users have to manually edit the file to enable xmlrpc logging so it might be a non critical bug.