Topic "5.1.7 (build 3446) does NOT mask passwords in logfile"

Author Message
andnet81
[View user's profile]

Joined: 2013-09-24
Posts: 3
Location: Germany
Attention! This is a major problem and a huge security issue.


Although the bugtracker shows this as RESOLVED,
passwords in "open" command line commands are visible in clear text.


In related news: It seems WinSCP.com executable does not have a switch/command to output a version. If this is correct, consider implementing this, because it best practice to do so.

5.1.7 (build 3446) is what the Exe-file says.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
Only passwords in open command log record are masked. If you are referring to a "Command-line" record, then indeed it's not masked out. You have to stored the password to a script to have it masked. There are so many ways to pass a password on command-line, that it's would be very difficult to locate it to mask it out. Also note that process command-line parameters is a public information. Any other process on a system can retrieve that. So if you are that concerned about security, do not pass passwords on command-line.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License