2018-0326 Solution - Beautiful Thing About Learning

Challenge type: Code review

Affected: oauthlib

Fixed in: version: v2.0.6 v2.0.5 v2.0.4 v2.0.3 v2.0.2 v2.0.1 v2.0.0 v1.1.2 1.1.1 1.1.0 1.0.3 1.0.2 1.0.1 1.0.0 0.7.2 0.7.1 0.7.0

Original code: found here

Description

This week's challenge was a python library with an information disclosure vulnerability. Specifically, a password was being written to a log file alongside it's corresponding username. In this case, if an attacker has access to the system where the logs are stored (which could also be a centralized logging server) then credentials would be at risk of exposure. 

Solution

The fix for this issue is fairly simple, just don't log the password. There's no reason for it. The fixed can be seen below.

If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.

Leave a comment