Cleartext passwords written to aiowps_audit_log
-
I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)
How can I stop the logging of clear text passwords?
In
aiowps_audit_log
in thestacktrace
column you can find something like this:a:10:{i:0;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:308;s:8:"function";s:12:"record_event";s:5:"class";s:33:"AIOWPSecurity_Audit_Event_Handler";s:4:"type";s:2:"->";s:4:"args";a:4:{i:0;s:16:"successful_login";i:1;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:2;s:4:"info";i:3;s:10:"ADMINUSER";}}i:1;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:332;s:8:"function";s:13:"apply_filters";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:2:{i:0;s:0:"";i:1;a:4:{i:0;s:16:"successful_login";i:1;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:2;s:4:"info";i:3;s:10:"ADMINUSER";}}}i:2;a:6:{s:4:"file";s:49:"/home/SERVER-LOGIN/public_html/wp-includes/plugin.php";s:4:"line";i:517;s:8:"function";s:9:"do_action";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:0:"";}}i:3;a:4:{s:4:"file";s:118:"/home/SERVER-LOGIN/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-audit-events.php";s:4:"line";i:464;s:8:"function";s:9:"do_action";s:4:"args";a:5:{i:0;s:19:"aiowps_record_event";i:1;s:16:"successful_login";i:2;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:3;s:4:"info";i:4;s:10:"ADMINUSER";}}i:4;a:6:{s:4:"file";s:116:"/home/SERVER-LOGIN/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php";s:4:"line";i:185;s:8:"function";s:22:"event_successful_login";s:5:"class";s:26:"AIOWPSecurity_Audit_Events";s:4:"type";s:2:"::";s:4:"args";a:1:{i:0;s:10:"ADMINUSER";}}i:5;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:308;s:8:"function";s:17:"post_authenticate";s:5:"class";s:24:"AIOWPSecurity_User_Login";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:7:"WP_User";}}i:6;a:6:{s:4:"file";s:49:"/home/SERVER-LOGIN/public_html/wp-includes/plugin.php";s:4:"line";i:205;s:8:"function";s:13:"apply_filters";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:7:"WP_User";}}i:7;a:4:{s:4:"file";s:52:"/home/SERVER-LOGIN/public_html/wp-includes/pluggable.php";s:4:"line";i:616;s:8:"function";s:13:"apply_filters";s:4:"args";a:4:{i:0;s:12:"authenticate";i:1;N;i:2;s:10:"ADMINUSER";i:3;s:16:"ADMIN_PASSWORD_IN_CLEARTEXT";}}i:8;a:4:{s:4:"file";s:47:"/home/SERVER-LOGIN/public_html/wp-includes/user.php";s:4:"line";i:106;s:8:"function";s:15:"wp_authenticate";s:4:"args";a:2:{i:0;s:10:"ADMINUSER";i:1;s:16:"ADMIN_PASSWORD_IN_CLEARTEXT";}}i:9;a:4:{s:4:"file";s:39:"/home/SERVER-LOGIN/public_html/wp-login.php";s:4:"line";i:1241;s:8:"function";s:9:"wp_signon";s:4:"args";a:1:{i:0;s:0:"";}}}
How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?
- The topic ‘Cleartext passwords written to aiowps_audit_log’ is closed to new replies.