1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Got one serious bug. Check it out.

Discussion in 'Resolved Bug Reports' started by Slink, Oct 23, 2012.

  1. Slink

    Slink New Member

    If some one setup smtp wrong.
    And when some one register onto that forum. His all details(Username, pass, email, time setting) will be clearly visible in servererrorlogs.

    I tested it several time and all time I got this.

    Fix this.
    Thank You.
    vVv likes this.
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Failed SMTP connections can cause server errors which are logged. That's true. But the logs are only accessible to the admin. I don't see a problem with this.
  3. Jeremy P

    Jeremy P Well-Known Member

    Where else are the admins capable of viewing user passwords? Note also that when you change a users password via the admin panel, the value is not recorded in the admin log. Sure, if you trust your admins and have SMTP setup properly, this isn't really an issue. However that will not be the case for everybody, and if for nothing else but consistency, passwords should be blanked from the error log.
    Brandon Sheley, Slink and vVv like this.
  4. ENF

    ENF Well-Known Member

    For reference, if the mail connection for sending fails, this shows up in the bottom of the error message when a user registers:

    array(3) {
      ["url"] => string(36) "http://someotherwebsite.jkl/register/register"
      ["_GET"] => array(0) {
      ["_POST"] => array(13) {
        ["username"] => string(7) "Someusername"
        ["email"] => string(19) "someonesemail@somemailhost.com"
        ["password"] => string(9) "Apassword"
        ["password_confirm"] => string(9) "Apassword"
        ["dob_month"] => string(1) "6"
        ["dob_day"] => string(1) "1"
        ["dob_year"] => string(4) "1984"
        ["gender"] => string(6) "male"
        ["timezone"] => string(16) "America/New_York"
        ["recaptcha_challenge_field"] => string(185) "03AHJ_VusdWbYKxYhIECpyPIwqjk-xJ-g0TodfJiH_58XFq6h-eh2RnBsre_LpJvnBhQtdUbFRQMTK_6fpDIayXRn_quroo3eXAtH0WmhrT4Ub-j0Tp4Ekic9bcr51h6i2-TQ7LWELQxFbPboi5Z56kW4XDoLb-E6bwvm94dwuSAnuZfdX05iJNgg"
        ["recaptcha_response_field"] => string(14) "ysteaak places"
        ["agree"] => string(1) "1"
        ["_xfToken"] => string(0) ""
    Slink likes this.
  5. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Then you would have to setup different error handling for registration and login because both requests submit a password. I personally see no problem. The devs will decide if an exception is warranted.
  6. Slink

    Slink New Member

    This is a serious problem. Because, Admin can see other users password. Sometimes they put there mail password and forum login password same. So, this is a serious Problem.
    If the password not visible in clear-text then it will be better.
  7. Jeremy P

    Jeremy P Well-Known Member

    Not really. You'd just have to strip post inputs for password and password_confirm when inserting things in the error log. No need to make it more complicated from that, just strip it in whatever function actually saves the logs to the database. No special handling is required beyond that.
  8. Chris D

    Chris D XenForo Developer Staff Member

    If this ever poses an actual problem for you then you are employing the wrong admins.
  9. Jeremy P

    Jeremy P Well-Known Member

    As much as I wish we lived in a world where everyone completely trusted their administrators, and chose them very carefully, and that administrators would never "go rogue," history has shown that is certainly not the case. You're completely correct that no good admin would use this bug for malicious purposes, but unfortunately in the real world not every admin is a good admin, and that will never be the case. S* happens, sometimes people you trust with your life turn on you.

    So yeah, the real problem is with bad admins, but since we don't live in a perfect world I still feel this needs addressing. It's so easy to fix anyways. I could do it in 5-10 minutes (with direct file edits).

    Edit: Not on my dev machine right now but I'll go ahead come up for a fix for this as soon as I can.
    vVv, Brent W, Slink and 1 other person like this.
  10. Brandon Sheley

    Brandon Sheley Well-Known Member

    If there is ever a situation that the admins can see our passes in clear text, it's definitely a problem.
    This should be fixed in the core, and not required a 3rd party addon IMHO.
    Slink, Jon W and Jeremy P like this.
  11. Jeremy P

    Jeremy P Well-Known Member

    Just to note, I won't be releasing the fix as an addon. If somebody else wants to, feel free. I am just going to provide a code edit to show how easily this can be addressed and to save the devs time should they (hopefully) decide that this needs addressing.

    Waindigo got it! :cool:
    Jon W likes this.
  12. Jon W

    Jon W Well-Known Member

  13. Slink

    Slink New Member

    Thanks waindigo for the fix. Thanks a lot again.
    Jon W likes this.
  14. Adam Howard

    Adam Howard Well-Known Member

    I can confirm this.

    Both on a stock install and on a fully customized site.
  15. Mike

    Mike XenForo Developer Staff Member

    There were some cases where we prevented this information from being logged (like in admin logs), but I've made sure to filter it out everywhere now.

Share This Page