Security Issue with debug log files

Details

Type: Bug
Status: Closed
Priority: P1
Resolution: Fixed
Fix Version/s: Fiona 1.1.0
Component/s: Stability and Reliability
Labels:
- top

Severity:
Critical
Version:
1.0.2.16619
Number of attachments:
0

Description

If someone creates a debug file / log file package it includes the VPN credentials (username and password) and the boxee username in plain text. The boxee password is hashed but may be reversible.
Affected files:
* guisettings.xml:
   * <vpn>(.*)</vpn>
* root-boxee.log
   * CBoxeeLoginManager
   * CGUIDialogBoxeeLoggingIn
   * RequestApplicationsListFromServerTask
This data must not be included in such logfiles since some of this attachments are available public and even for you the users credentials should not be accessible at any point!

Issue Links

relates

BOXEE-7575 Logs contain personally identifiable information

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Rafael Mizrahi [Boxee] added a comment - 21/Dec/10 3:41 AM

as a workaround, you can send the logs to boxee by email and write your username and box serial number at the issue.

Show

Rafael Mizrahi [Boxee] added a comment - 21/Dec/10 3:41 AM as a workaround, you can send the logs to boxee by email and write your username and box serial number at the issue.

Hide

Permalink

Rafael Mizrahi [Boxee] added a comment - 21/Dec/10 3:54 AM

1. at the log, password should be traced as *****
2. at the configuration files such as guisettings , password should be either replaced with **** or removed.

Show

Rafael Mizrahi [Boxee] added a comment - 21/Dec/10 3:54 AM 1. at the log, password should be traced as ***** 2. at the configuration files such as guisettings , password should be either replaced with **** or removed.

Hide

Permalink

James added a comment - 11/Jan/11 11:49 PM

I want to send in debug logs but will not until this bug is fixed. I voted.

Show

James added a comment - 11/Jan/11 11:49 PM I want to send in debug logs but will not until this bug is fixed. I voted.

Hide

Permalink

Tom Sella [Boxee] added a comment - 07/Feb/11 12:56 PM

Resolved for upcoming 1.0.4 for system side. Reassignment for Client to complete.

Show

Tom Sella [Boxee] added a comment - 07/Feb/11 12:56 PM Resolved for upcoming 1.0.4 for system side. Reassignment for Client to complete.

Hide

Permalink

Erez Razin [Boxee] added a comment - 07/Feb/11 1:24 PM

fix client side for 1.0.5 in commit -r17389.

Show

Erez Razin [Boxee] added a comment - 07/Feb/11 1:24 PM fix client side for 1.0.5 in commit -r17389.

Hide

Permalink

Rafael Mizrahi [Boxee] added a comment - 08/Feb/11 4:38 AM

verified using 1.0.4.17401 that vpn password was removed from guisettings

Show

Rafael Mizrahi [Boxee] added a comment - 08/Feb/11 4:38 AM verified using 1.0.4.17401 that vpn password was removed from guisettings

Hide

Permalink

Rafael Mizrahi [Boxee] added a comment - 08/Feb/11 4:38 AM

using 1.0.4.17401 still contain secured information in the log
will continue to verify on SP5 interim build

Show

Rafael Mizrahi [Boxee] added a comment - 08/Feb/11 4:38 AM using 1.0.4.17401 still contain secured information in the log will continue to verify on SP5 interim build

Hide

Permalink

Erez Razin [Boxee] added a comment - 29/Mar/11 10:57 AM

update/remove logs with password.
fix in commit -r18133.

Show

Erez Razin [Boxee] added a comment - 29/Mar/11 10:57 AM update/remove logs with password. fix in commit -r18133.

Hide

Permalink

Ami Ben-David [Boxee] added a comment - 29/Mar/11 2:40 PM

verified on 1.1.0.18135

Show

Ami Ben-David [Boxee] added a comment - 29/Mar/11 2:40 PM verified on 1.1.0.18135

People

Assignee:

Erez Razin [Boxee]

Reporter:

Fabian Bader

Vote (3)

Watch (4)

Dates

Created:

21/Dec/10 3:23 AM

Updated:

03/Aug/11 5:32 AM

Resolved:

29/Mar/11 10:57 AM

Agile

View on Board