In order to resolve our frappe issues, we have to post here our frappe logs.
But I have seen that in those logs, you can read the full text passwords of the system!!
So anyone on the internet can search for it, and break into your valuable erp system!!
It is best to disguise the passwords with stars!!
Thanks for your consideration.
Hello,
Which logs are you referring to? I’ve been going through all of them and none are showing any passwords?
Regards
Said
Note: And even if I try to access the Logs Dir/Folder directly its not possible, must be how your site is setup.
If you are referring to the passwords.txt file, then you can delete it off after storing the passwords in a safe place.
I am referring to the console output.
Sometimes we need to publish parts of it on the forum, because of errors.
Example:
run install script:
# python install.py --develop --user frappe
command log:
> root@PAVILION:~# python install.py --develop --user frappe
> Please enter mysql root password:
> Please enter the default Administrator user password:
> -- pw: ******
> Passwords saved at ~/passwords.txt
> [WARNING]: Host file not found: /etc/ansible/hosts
> [WARNING]: provided hosts list is empty, only localhost is available
> [WARNING]: Host file not found: /etc/ansible/hosts
> [WARNING]: provided hosts list is empty, only localhost is available
> [WARNING]: Consider using file module with owner rather than running chown
> TASK [Set root Password] *******************************************************
> fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["mysqladmin", "-u", "root", "password", "jshydnajhxjs"], "delta": "0:00:00.023013", "end": "2017-02-13 07:09:58.652810", "failed": true, "rc": 1, "start": "2017-02-13 07:09:58.629797", "stderr": "\u0007mysqladmin: connect to server at 'localhost' failed\nerror: 'Access denied for user 'root'@'localhost' (using password: NO)'", "stdout": "", "stdout_lines": [], "warnings": []}
> ...ignoring
the mysql password is exposed:
fatal: [localhost]: FAILED! => {“changed”: true, “cmd”: [“mysqladmin”, “-u”, “root”, “password”, “jshydnajhxjs”],
Just do a search with, for example: “"mysqladmin", "-u", "root", "password"” in this forum, and you will see many full text passwords…
Passwords saved at ~/passwords.txt, have you deleted this file and tried to see the log?
thanks @Pawan, passwords.txt also gives full text passwords :(,
{
“mysql_root_password”: “mysql_root_password”,
“admin_password”: “admin_password”
}
is it safe to delete this file?
I have deleted it and did not face any problems, so I assume it is safe
Old issue, still a problem. In frappe.log:
[ERROR] 2019-07-18 07:54:34,491 | /home/frappe/frappe-bench/apps/frappe/frappe/app.py:
Site: ******WEBSITE HERE*******
Form Dict: {
"cmd": "login",
"device": "desktop",
"pwd": "******PLAINTEXT PASSWORD ATTEMPT******",
"usr": "******USER EMAIL*******"
}
Request Error
Traceback (most recent call last):
File "/home/frappe/frappe-bench/apps/frappe/frappe/app.py", line 58, in application
init_request(request)
File "/home/frappe/frappe-bench/apps/frappe/frappe/app.py", line 120, in init_request
frappe.local.http_request = frappe.auth.HTTPRequest()
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 51, in __init__
frappe.local.login_manager = LoginManager()
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 105, in __init__
if self.login()==False: return
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 126, in login
self.authenticate(user=user, pwd=pwd)
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 209, in authenticate
self.check_if_enabled(user)
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 216, in check_if_enabled
check_consecutive_login_attempts(user, doc)
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 394, in check_consecutive_login_attempts
.format(doc.allow_login_after_fail), frappe.SecurityException)
File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 353, in throw
msgprint(msg, raise_exception=exc, title=title, indicator='red')
File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 339, in msgprint
_raise_exception()
File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 312, in _raise_exception
raise raise_exception(msg)
SecurityException: Your account has been locked and will resume after 60 seconds
[ERROR] 2019-07-18 07:54:34,720 | /home/frappe/frappe-bench/apps/frappe/frappe/utils/error.py:
New Exception collected with id: 2019-07-18 07:54:34.492114-62.7.71.252-b86
The log contains the plaintext username and passwords of failed login attempts. Technically this won’t be the actual password, of course, but it might be a trivial misspelling or equivalent.