Challenge type: Code review
Fixed in: version: v2.0.6 v2.0.5 v2.0.4 v2.0.3 v2.0.2 v2.0.1 v2.0.0 v1.1.2 1.1.1 1.1.0 1.0.3 1.0.2 1.0.1 1.0.0 0.7.2 0.7.1 0.7.0
Original code: found here
This week's challenge was a python library with an information disclosure vulnerability. Specifically, a password was being written to a log file alongside it's corresponding username. In this case, if an attacker has access to the system where the logs are stored (which could also be a centralized logging server) then credentials would be at risk of exposure.
The fix for this issue is fairly simple, just don't log the password. There's no reason for it. The fixed can be seen below.
If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.