Make WordPress Core

Opened 12 years ago

Closed 6 years ago

#10699 closed defect (bug) (wontfix)

Password Expose Bug in XML-RPC Debugging

Reported by: keithdsouza Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: close
Focuses: Cc:


Though this may not effect many users, I was testing something through xmlrpc with logging enabled and came across something that might create a security problem.

If xmlrpc logging is enabled WP logs the password from the request struct in an unencrypted format.

Now I understand that not many will open up xmlrpc logging on production blogs, could it be possible that WP just strikes out the password before logging it to the file as it is always the third param so easy to do that, this is because people who might have xmlrpc logging enabled may not change the default log filename and location so anyone can simply run a robot to check for http://blogurl.com/xmlrpc.log and farm passwords (now this may not affect blogs that have WP installed in root since it writes to ../xmlrpc.log, so essentially outside the www access dir, but blogs with WP installed in sub directories will be affected).

Don't know how critical this is as users have to manually edit the file to enable xmlrpc logging so it might be a non critical bug.

Change History (5)

#1 @nacin
12 years ago

  • Component changed from XML-RPC to Security
  • Milestone changed from Unassigned to Future Release
  • Owner changed from josephscott to ryan

#2 @solarissmoke
11 years ago

  • Keywords close added

The XML-RPC logger currently logs raw incoming HTTP post data. In order to hide the password, you would need to parse the XML first to determine where it is before you could obfuscate it. This has the potential to obfuscate the wrong thing (especially if you're testing and your XML is not correct), in which case you would defeat the purpose of writing a debug log.

Proposing wontfix. Maybe we could just add an extra warning in the inline docs: Don't use this in a production environment.

#3 @nacin
9 years ago

  • Component changed from Security to XML-RPC

I believe XML-RPC logging is now a straight error_log() call, so it is no worse than doing server level logging of POST data, as someone may configure from time to time.

#4 @ryan
8 years ago

  • Owner ryan deleted
  • Status changed from new to assigned

#5 @wonderboymusic
6 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

4 years since it was proposed wontfix

Note: See TracTickets for help on using tickets.