Password Expose Bug in XML-RPC Debugging

[keithdsouza]

Though this may not effect many users, I was testing something through xmlrpc with logging enabled and came across something that might create a security problem.

If xmlrpc logging is enabled WP logs the password from the request struct in an unencrypted format.

Now I understand that not many will open up xmlrpc logging on production blogs, could it be possible that WP just strikes out the password before logging it to the file as it is always the third param so easy to do that, this is because people who might have xmlrpc logging enabled may not change the default log filename and location so anyone can simply run a robot to check for ​http://blogurl.com/xmlrpc.log and farm passwords (now this may not affect blogs that have WP installed in root since it writes to ../xmlrpc.log, so essentially outside the www access dir, but blogs with WP installed in sub directories will be affected).

Don't know how critical this is as users have to manually edit the file to enable xmlrpc logging so it might be a non critical bug.

[solarissmoke]

The XML-RPC logger currently logs raw incoming HTTP post data. In order to hide the password, you would need to parse the XML first to determine where it is before you could obfuscate it. This has the potential to obfuscate the wrong thing (especially if you're testing and your XML is not correct), in which case you would defeat the purpose of writing a debug log.

Proposing wontfix. Maybe we could just add an extra warning in the inline docs: Don't use this in a production environment.

[nacin]

I believe XML-RPC logging is now a straight error_log() call, so it is no worse than doing server level logging of POST data, as someone may configure from time to time.

[wonderboymusic]

4 years since it was proposed wontfix