cancel
Showing results for 
Search instead for 
Did you mean: 

Passwords clear text in exception.log

SOLVED

Passwords clear text in exception.log

Why are passwords stored in clear text in the exception.log? This is a security risk. How can this be turned off?  Passwords should be hashed in the log if visible at all.

 

Here is a sample line in the log where this occurs:

 /var/www/...../shop/app/code/core/Mage/Customer/controllers/AccountController.php(154): Mage_Customer_Model_Session->login('xxxxxxx@xxxxxxx.xxx', 'clear text password')#18

2 REPLIES

Re: Passwords clear text in exception.log

Is not actually stored, rather the intent is to print the exception trace and in this case the classes chain with login method that receives two parameters email and password. A question would be: why are you getting the exception on login? Also, if you would like to avoid the password exposed in logs (case: no need to know credentials for debugging) then you can override the file to remove the printed exception specific for this case - assumed Customer Module -> controllers -> AccountController->loginPostAction and comment Mage::logException(..) in the catch statement.

Re: Passwords clear text in exception.log

It turns out there is a patch available according to Magento support.

 

PATCH_SUPEE-3570_EE_1.13.1.0_v2