Security Issue - password visible in logs

Advertisement

mweaver
Joined:
Posts:
1
Location:
USA

Security Issue - password visible in logs

I wasn't sure whether to post this issue here (as a bug) or in "Scripting / Automation". I came across a bug where the password is visible (plain-text) in the log file (without the intentional use of /loglevel=x*).

I found this bug in version 6.1.1.13736.

Here is the command-line to reproduce the bug:
winscp.exe /log=winscp.log /loglevel=2 /command "open sftp://username:mystrongpassword@host" "pwd" "exit"
After running that command you see the following in the winscp.log file:
. 2023-08-11 14:51:38.461 Command-line: winscp.exe  /log=winscp.log /loglevel=2 /command "open sftp://username:***@host" "pwd" "exit"
. 2023-08-11 14:51:38.461 Switch:    /log=winscp.log
. 2023-08-11 14:51:38.466 Switch:    /loglevel=2
. 2023-08-11 14:51:38.466 Switch:    /command
. 2023-08-11 14:51:38.466 Parameter: open sftp://username:mystrongpassword@host
. 2023-08-11 14:51:38.466 Parameter: pwd
. 2023-08-11 14:51:38.466 Parameter: exit
Notice in the first line (shown above) where it echos the full command line, the password is correctly masked. However, a few lines below that, where it starts to list the individual parameters, the full session URL is shown (including the plain-text password) as part of the open command.

The topic on logging (https://winscp.net/eng/docs/logging) states:
Note that passwords and passphrases are not stored to either log format.
As such, this seems like a bug that should be fixed (so the password is also masked when shown as part of the open command as a parameter listed in the log file).

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,468
Location:
Prague, Czechia

Re: Security Issue - password visible in logs

Indeed, the passwords are logged on the Debug 1 level and higher. I've updated the documentation to reflect that.

Reply with quote

Advertisement

You can post new topics in this forum