target site credentials logged
-
While testing v1.4.1 roles issues I found some sensitive data leakage where wordpress account credentials are getting logged into the ~log.txt file. The issue is also present in v1.3.3
The log file is inside the /wp-content/plugins/wpsitesynccontent folder and is actively logged to whenever wordpress is in debug mode. There is no other way to disable this.
define( ‘WP_DEBUG’, true);
2018-08-15 08:56:26#56 – SyncSettings::validate_settings():582 authenticating with data array (
‘host’ => ‘https://dev.scrubbed.com’,
‘username’ => ‘scrubbed’,
‘password’ => ‘scrubbed’,
‘site_key’ => ‘scrubbed’,
‘target_site_key’ => ‘scrubbed’,
‘auth’ => 0,
‘strict’ => ‘0’,
‘salt’ => ”,
‘min_role’ => ‘author’,
‘remove’ => ‘0’,
‘match_mode’ => ‘title’,
‘roles’ => ‘|admin lite|author|editor|administrator|’,
‘url’ => ”,
)2018-08-15 09:31:39#10 – sending data array: ‘body’ =>
‘host’ => ‘https://dev.scrubbed.com’,
‘username’ => ‘scrubbed’,
‘password’ => ‘scrubbed’,
‘site_key’ => ‘scrubbed’,
‘target_site_key’ => ‘scrubbed’,
‘auth’ =>
‘cookie’ => ‘scrubbed’,
‘nonce’ => ’22ae5dabf5′,
‘site_key’ => ‘scrubbed’,
‘strict’ => ‘0’,
‘salt’ => ”,
‘min_role’ => ‘author’,
‘remove’ => ‘0’,
‘match_mode’ => ‘title’,
‘roles’ => ‘|admin lite|author|editor|administrator|’,
‘url’ => ”,
‘encode’ => ‘scrubbed’,
‘headers’ =>
‘x-sync-version’ => ‘1.3.3’,
‘x-wp-version’ => ‘4.9.8’,
‘x-sync-source’ => ‘https://dev.localhost’,
‘x-sync-site-key’ => ‘scrubbed’,
‘x-sync-match-mode’ => ‘title’,
‘timeout’ => 30,
)
- The topic ‘target site credentials logged’ is closed to new replies.
