Bug #53199 plain text password visible in agent error log
Submitted: 27 Apr 2010 13:50 Modified: 30 Apr 2010 10:53
Reporter: Lig Isler-Turmelle Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Agent Severity:S2 (Serious)
Version:Any OS:Any
Assigned to: Michael Schuster CPU Architecture:Any
Tags: windmill

[27 Apr 2010 13:50] Lig Isler-Turmelle 
Description:
In the agent logs when the agent reconnects to the dashboard a message is placed that includes the agent password.

Ex:
2009-09-24 13:34:04: (critical) network-io.c:310: successfully reconnected to dashboard at http://agent:password@127.0.0.1:18080/heartbeat

While the error log should be protected, having a password in plain text is a security issue.

How to repeat:
Have the agent connect to the dashboard and look at the logs.

Suggested fix:
If you can infer the password from the url then it should be replaced with:

- one 'x' for each password character, or
- one '?' for each password character, or
- a clear text such as 'PASSWORD_REMOVED'
[29 Apr 2010 18:21] Enterprise Tools JIRA Robot 
Keith Russell writes: 
Patch installed in versions => 2.2.0.1705.
[29 Apr 2010 18:29] Enterprise Tools JIRA Robot 
Marcos Palacios writes: 
Verified fixed in agent build 2.2.0.1705.
[30 Apr 2010 10:53] MC Brown 
A note has been added to the 2.2.0 changelog: 

        The full agent URL would be output in the logs in the event of                                                                                     
        an error, including the agent username and password used to                                                                                        
        connect to &merlin_server;. The password is now stripped from                                                                                      
        the reported URL.