• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Got one serious bug. Check it out.

Slink

New member
#1
If some one setup smtp wrong.
And when some one register onto that forum. His all details(Username, pass, email, time setting) will be clearly visible in servererrorlogs.

I tested it several time and all time I got this.

Fix this.
Thank You.
Regards,
Slink
 

Jake Bunce

XenForo moderator
Staff member
#2
Failed SMTP connections can cause server errors which are logged. That's true. But the logs are only accessible to the admin. I don't see a problem with this.
 

Jeremy P

Well-known member
#3
Failed SMTP connections can cause server errors which are logged. That's true. But the logs are only accessible to the admin. I don't see a problem with this.
Where else are the admins capable of viewing user passwords? Note also that when you change a users password via the admin panel, the value is not recorded in the admin log. Sure, if you trust your admins and have SMTP setup properly, this isn't really an issue. However that will not be the case for everybody, and if for nothing else but consistency, passwords should be blanked from the error log.
 

ENF

Well-known member
#4
For reference, if the mail connection for sending fails, this shows up in the bottom of the error message when a user registers:

Code:
array(3) {
  ["url"] => string(36) "http://someotherwebsite.jkl/register/register"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(13) {
    ["username"] => string(7) "Someusername"
    ["email"] => string(19) "someonesemail@somemailhost.com"
    ["password"] => string(9) "Apassword"
    ["password_confirm"] => string(9) "Apassword"
    ["dob_month"] => string(1) "6"
    ["dob_day"] => string(1) "1"
    ["dob_year"] => string(4) "1984"
    ["gender"] => string(6) "male"
    ["timezone"] => string(16) "America/New_York"
    ["recaptcha_challenge_field"] => string(185) "03AHJ_VusdWbYKxYhIECpyPIwqjk-xJ-g0TodfJiH_58XFq6h-eh2RnBsre_LpJvnBhQtdUbFRQMTK_6fpDIayXRn_quroo3eXAtH0WmhrT4Ub-j0Tp4Ekic9bcr51h6i2-TQ7LWELQxFbPboi5Z56kW4XDoLb-E6bwvm94dwuSAnuZfdX05iJNgg"
    ["recaptcha_response_field"] => string(14) "ysteaak places"
    ["agree"] => string(1) "1"
    ["_xfToken"] => string(0) ""
  }
}
 

Jake Bunce

XenForo moderator
Staff member
#5
Then you would have to setup different error handling for registration and login because both requests submit a password. I personally see no problem. The devs will decide if an exception is warranted.
 

Slink

New member
#6
This is a serious problem. Because, Admin can see other users password. Sometimes they put there mail password and forum login password same. So, this is a serious Problem.
If the password not visible in clear-text then it will be better.
 

Jeremy P

Well-known member
#7
Then you would have to setup different error handling for registration and login because both requests submit a password. I personally see no problem. The devs will decide if an exception is warranted.
Not really. You'd just have to strip post inputs for password and password_confirm when inserting things in the error log. No need to make it more complicated from that, just strip it in whatever function actually saves the logs to the database. No special handling is required beyond that.
 

Chris D

XenForo developer
Staff member
#8
This is a serious problem. Because, Admin can see other users password. Sometimes they put there mail password and forum login password same. So, this is a serious Problem.
If the password not visible in clear-text then it will be better.
If this ever poses an actual problem for you then you are employing the wrong admins.
 

Jeremy P

Well-known member
#9
If this ever poses an actual problem for you then you are employing the wrong admins.
As much as I wish we lived in a world where everyone completely trusted their administrators, and chose them very carefully, and that administrators would never "go rogue," history has shown that is certainly not the case. You're completely correct that no good admin would use this bug for malicious purposes, but unfortunately in the real world not every admin is a good admin, and that will never be the case. S* happens, sometimes people you trust with your life turn on you.

So yeah, the real problem is with bad admins, but since we don't live in a perfect world I still feel this needs addressing. It's so easy to fix anyways. I could do it in 5-10 minutes (with direct file edits).

Edit: Not on my dev machine right now but I'll go ahead come up for a fix for this as soon as I can.
 

Jeremy P

Well-known member
#11
Just to note, I won't be releasing the fix as an addon. If somebody else wants to, feel free. I am just going to provide a code edit to show how easily this can be addressed and to save the devs time should they (hopefully) decide that this needs addressing.

Waindigo got it! :cool: