5.1.7 (build 3446) does NOT mask passwords in logfile

Advertisement

andnet81
Joined:
Posts:
3
Location:
Germany

5.1.7 (build 3446) does NOT mask passwords in logfile

Attention! This is a major problem and a huge security issue.


Although the bugtracker shows this as RESOLVED,
passwords in "open" command line commands are visible in clear text.


In related news: It seems WinSCP.com executable does not have a switch/command to output a version. If this is correct, consider implementing this, because it best practice to do so.

5.1.7 (build 3446) is what the Exe-file says.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,476
Location:
Prague, Czechia

Re: 5.1.7 (build 3446) does NOT mask passwords in logfile

Only passwords in open command log record are masked. If you are referring to a "Command-line" record, then indeed it's not masked out. You have to stored the password to a script to have it masked. There are so many ways to pass a password on command-line, that it's would be very difficult to locate it to mask it out. Also note that process command-line parameters is a public information. Any other process on a system can retrieve that. So if you are that concerned about security, do not pass passwords on command-line.
_________________
Martin Prikryl

Reply with quote

Advertisement

You can post new topics in this forum