Support » Plugin: WPSiteSync for Content » target site credentials logged

  • Resolved rkochis

    (@rkochis)


    While testing v1.4.1 roles issues I found some sensitive data leakage where wordpress account credentials are getting logged into the ~log.txt file. The issue is also present in v1.3.3

    The log file is inside the /wp-content/plugins/wpsitesynccontent folder and is actively logged to whenever wordpress is in debug mode. There is no other way to disable this.

    define( ‘WP_DEBUG’, true);

    2018-08-15 08:56:26#56 – SyncSettings::validate_settings():582 authenticating with data array (
    ‘host’ => ‘https://dev.scrubbed.com’,
    ‘username’ => ‘scrubbed’,
    ‘password’ => ‘scrubbed’,

    ‘site_key’ => ‘scrubbed’,
    ‘target_site_key’ => ‘scrubbed’,
    ‘auth’ => 0,
    ‘strict’ => ‘0’,
    ‘salt’ => ”,
    ‘min_role’ => ‘author’,
    ‘remove’ => ‘0’,
    ‘match_mode’ => ‘title’,
    ‘roles’ => ‘|admin lite|author|editor|administrator|’,
    ‘url’ => ”,
    )

    2018-08-15 09:31:39#10 – sending data array: ‘body’ =>
    ‘host’ => ‘https://dev.scrubbed.com’,
    ‘username’ => ‘scrubbed’,
    ‘password’ => ‘scrubbed’,
    ‘site_key’ => ‘scrubbed’,
    ‘target_site_key’ => ‘scrubbed’,
    ‘auth’ =>
    ‘cookie’ => ‘scrubbed’,
    ‘nonce’ => ’22ae5dabf5′,
    ‘site_key’ => ‘scrubbed’,
    ‘strict’ => ‘0’,
    ‘salt’ => ”,
    ‘min_role’ => ‘author’,
    ‘remove’ => ‘0’,
    ‘match_mode’ => ‘title’,
    ‘roles’ => ‘|admin lite|author|editor|administrator|’,
    ‘url’ => ”,
    ‘encode’ => ‘scrubbed’,
    ‘headers’ =>
    ‘x-sync-version’ => ‘1.3.3’,
    ‘x-wp-version’ => ‘4.9.8’,
    ‘x-sync-source’ => ‘http://dev.localhost’,
    ‘x-sync-site-key’ => ‘scrubbed’,
    ‘x-sync-match-mode’ => ‘title’,
    ‘timeout’ => 30,
    )

Viewing 1 replies (of 1 total)
  • Plugin Author ServerPress

    (@serverpress)

    Hi rkochis,

    Thanks for bringing this to our attention.

    The contents of the log file is protected via a rule in the .htaccess file in the plugin directory. Even so we don’t want to be logging that information. We’ve removed these from the logs and will be posting an updated version of the code to the repository shortly.

Viewing 1 replies (of 1 total)
  • The topic ‘target site credentials logged’ is closed to new replies.