Re: Security Issue - password visible in logs
Indeed, the passwords are logged on the Debug 1 level and higher. I've updated the documentation to reflect that.
- martin
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- mweaver
Security Issue - password visible in logs
I wasn't sure whether to post this issue here (as a bug) or in "Scripting / Automation". I came across a bug where the password is visible (plain-text) in the log file (without the intentional use of
I found this bug in version 6.1.1.13736.
Here is the command-line to reproduce the bug:
After running that command you see the following in the winscp.log file:
Notice in the first line (shown above) where it echos the full command line, the password is correctly masked. However, a few lines below that, where it starts to list the individual parameters, the full session URL is shown (including the plain-text password) as part of the open command.
The topic on logging (https://winscp.net/eng/docs/logging) states:
As such, this seems like a bug that should be fixed (so the password is also masked when shown as part of the
/loglevel=x*).
I found this bug in version 6.1.1.13736.
Here is the command-line to reproduce the bug:
winscp.exe /log=winscp.log /loglevel=2 /command "open sftp://username:mystrongpassword@host" "pwd" "exit"
After running that command you see the following in the winscp.log file:
. 2023-08-11 14:51:38.461 Command-line: winscp.exe /log=winscp.log /loglevel=2 /command "open sftp://username:***@host" "pwd" "exit"
. 2023-08-11 14:51:38.461 Switch: /log=winscp.log
. 2023-08-11 14:51:38.466 Switch: /loglevel=2
. 2023-08-11 14:51:38.466 Switch: /command
. 2023-08-11 14:51:38.466 Parameter: open sftp://username:mystrongpassword@host
. 2023-08-11 14:51:38.466 Parameter: pwd
. 2023-08-11 14:51:38.466 Parameter: exit
Notice in the first line (shown above) where it echos the full command line, the password is correctly masked. However, a few lines below that, where it starts to list the individual parameters, the full session URL is shown (including the plain-text password) as part of the open command.
The topic on logging (https://winscp.net/eng/docs/logging) states:
Note that passwords and passphrases are not stored to either log format.
As such, this seems like a bug that should be fixed (so the password is also masked when shown as part of the
open command as a parameter listed in the log file).