Описание
Insertion of Sensitive Information into Log
Impact
If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.
When you (1) use the following authentiactors,
- AccessTokens (
tokens) - JWT (
jwt) - HmacSha256 (
hmac)
and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
- AccessTokens or HmacSha256
- Set
Config\AuthToken::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONE
- Set
- JWT
- Set
Config\AuthJWT::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONE
- Set
References
For more information
If you have any questions or comments about this advisory:
- Open an issue or discussion in codeigniter4/shield
- Email us at security@codeigniter.com
Пакеты
codeigniter4/shield
< 1.0.0-beta.8
1.0.0-beta.8
Связанные уязвимости
CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.