• Resolved c0ntr07

    (@c0ntr07)


    I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)

    How can I stop the logging of clear text passwords?

    In aiowps_audit_log in the stacktrace column you can find something like this:

    a:10:{i:0;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:308;s:8:"function";s:12:"record_event";s:5:"class";s:33:"AIOWPSecurity_Audit_Event_Handler";s:4:"type";s:2:"->";s:4:"args";a:4:{i:0;s:16:"successful_login";i:1;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:2;s:4:"info";i:3;s:10:"ADMINUSER";}}i:1;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:332;s:8:"function";s:13:"apply_filters";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:2:{i:0;s:0:"";i:1;a:4:{i:0;s:16:"successful_login";i:1;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:2;s:4:"info";i:3;s:10:"ADMINUSER";}}}i:2;a:6:{s:4:"file";s:49:"/home/SERVER-LOGIN/public_html/wp-includes/plugin.php";s:4:"line";i:517;s:8:"function";s:9:"do_action";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:0:"";}}i:3;a:4:{s:4:"file";s:118:"/home/SERVER-LOGIN/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-audit-events.php";s:4:"line";i:464;s:8:"function";s:9:"do_action";s:4:"args";a:5:{i:0;s:19:"aiowps_record_event";i:1;s:16:"successful_login";i:2;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:3;s:4:"info";i:4;s:10:"ADMINUSER";}}i:4;a:6:{s:4:"file";s:116:"/home/SERVER-LOGIN/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php";s:4:"line";i:185;s:8:"function";s:22:"event_successful_login";s:5:"class";s:26:"AIOWPSecurity_Audit_Events";s:4:"type";s:2:"::";s:4:"args";a:1:{i:0;s:10:"ADMINUSER";}}i:5;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:308;s:8:"function";s:17:"post_authenticate";s:5:"class";s:24:"AIOWPSecurity_User_Login";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:7:"WP_User";}}i:6;a:6:{s:4:"file";s:49:"/home/SERVER-LOGIN/public_html/wp-includes/plugin.php";s:4:"line";i:205;s:8:"function";s:13:"apply_filters";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:7:"WP_User";}}i:7;a:4:{s:4:"file";s:52:"/home/SERVER-LOGIN/public_html/wp-includes/pluggable.php";s:4:"line";i:616;s:8:"function";s:13:"apply_filters";s:4:"args";a:4:{i:0;s:12:"authenticate";i:1;N;i:2;s:10:"ADMINUSER";i:3;s:16:"ADMIN_PASSWORD_IN_CLEARTEXT";}}i:8;a:4:{s:4:"file";s:47:"/home/SERVER-LOGIN/public_html/wp-includes/user.php";s:4:"line";i:106;s:8:"function";s:15:"wp_authenticate";s:4:"args";a:2:{i:0;s:10:"ADMINUSER";i:1;s:16:"ADMIN_PASSWORD_IN_CLEARTEXT";}}i:9;a:4:{s:4:"file";s:39:"/home/SERVER-LOGIN/public_html/wp-login.php";s:4:"line";i:1241;s:8:"function";s:9:"wp_signon";s:4:"args";a:1:{i:0;s:0:"";}}}

    How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?

Viewing 4 replies - 16 through 19 (of 19 total)
  • Plugin Support aporter

    (@aporter)

    Hi,

    Thank you we have tracked down that issue.

    This copy of the plugin resolves it:

    https://gofile.io/d/HlY4vJ

    This copy of the plugin will be released soon.

    Best wishes,

    Ashley

    Thread Starter c0ntr07

    (@c0ntr07)

    Was the plug-in not tested? I am very hesitant to install this fix. AIOS has taken down my website three times now and we still have clear text passwords in logs and backups. I have very little confidence in AIOS’s development skills and security awareness.

    Plugin Support aporter

    (@aporter)

    Hi,

    Yes the plugin has been heavily tested, we delayed the release of 5.2.0 (which fixes the cleartext auth data issue) trying to track this problem down, unfortunatly we were unable to reproduce the conditions needed to get the above error.

    After release two more users encountered the same issue, one of them was able to provide a key bit of information to help us track the issue down.

    The issue comes from having a combination of options enabled with the firewall downgraded.

    The above zip resolved the issue for them users.

    Theres one other performance tweak in the works and 5.2.1 will be released shortly.

    Best Wishes,

    Ashley

    Plugin Support aporter

    (@aporter)

    Hi,

    Version 5.2.1 has just been released.

    This should resolve the above issue.

    Let me know if you have any other problems.

    Best Wishes,

    Ashley

Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘Cleartext passwords written to aiowps_audit_log’ is closed to new replies.