Security breach: frappe log exposes full text passwords!

In order to resolve our frappe issues, we have to post here our frappe logs.
But I have seen that in those logs, you can read the full text passwords of the system!!
So anyone on the internet can search for it, and break into your valuable erp system!!
It is best to disguise the passwords with stars!!

Thanks for your consideration.

1 Like


Which logs are you referring to? I’ve been going through all of them and none are showing any passwords?


Note: And even if I try to access the Logs Dir/Folder directly its not possible, must be how your site is setup.

If you are referring to the passwords.txt file, then you can delete it off after storing the passwords in a safe place.

Hi @Pawan, @saidsl ,

I am referring to the console output.
Sometimes we need to publish parts of it on the forum, because of errors.


run install script:

# python --develop --user frappe

command log:

> root@PAVILION:~# python --develop --user frappe
> Please enter mysql root password:
> Please enter the default Administrator user password:
> -- pw: ******
> Passwords saved at ~/passwords.txt
>  [WARNING]: Host file not found: /etc/ansible/hosts
>  [WARNING]: provided hosts list is empty, only localhost is available
>  [WARNING]: Host file not found: /etc/ansible/hosts
>  [WARNING]: provided hosts list is empty, only localhost is available
>  [WARNING]: Consider using file module with owner rather than running chown
>  TASK [Set root Password] *******************************************************
> fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["mysqladmin", "-u", "root", "password", "jshydnajhxjs"], "delta": "0:00:00.023013", "end": "2017-02-13 07:09:58.652810", "failed": true, "rc": 1, "start": "2017-02-13 07:09:58.629797", "stderr": "\u0007mysqladmin: connect to server at 'localhost' failed\nerror: 'Access denied for user 'root'@'localhost' (using password: NO)'", "stdout": "", "stdout_lines": [], "warnings": []}
> ...ignoring

the mysql password is exposed:

fatal: [localhost]: FAILED! => {“changed”: true, “cmd”: [“mysqladmin”, “-u”, “root”, “password”, “jshydnajhxjs”],

Just do a search with, for example: “"mysqladmin", "-u", "root", "password"” in this forum, and you will see many full text passwords…

Passwords saved at ~/passwords.txt, have you deleted this file and tried to see the log?

thanks @Pawan, passwords.txt also gives full text passwords :(,

“mysql_root_password”: “mysql_root_password”,
“admin_password”: “admin_password”

is it safe to delete this file?

I have deleted it and did not face any problems, so I assume it is safe

Old issue, still a problem. In frappe.log:

[ERROR] 2019-07-18 07:54:34,491 | /home/frappe/frappe-bench/apps/frappe/frappe/
Site: ******WEBSITE HERE*******
Form Dict: {
 "cmd": "login", 
 "device": "desktop", 
 "pwd": "******PLAINTEXT PASSWORD ATTEMPT******", 
 "usr": "******USER EMAIL*******"
Request Error
Traceback (most recent call last):
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 58, in application
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 120, in init_request
    frappe.local.http_request = frappe.auth.HTTPRequest()
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 51, in __init__
    frappe.local.login_manager = LoginManager()
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 105, in __init__
    if self.login()==False: return
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 126, in login
    self.authenticate(user=user, pwd=pwd)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 209, in authenticate
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 216, in check_if_enabled
    check_consecutive_login_attempts(user, doc)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 394, in     check_consecutive_login_attempts
    .format(doc.allow_login_after_fail), frappe.SecurityException)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 353, in throw
    msgprint(msg, raise_exception=exc, title=title, indicator='red')
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 339, in msgprint
  File "/home/frappe/frappe-bench/apps/frappe/frappe/", line 312, in _raise_exception
    raise raise_exception(msg)
SecurityException: Your account has been locked and will resume after 60 seconds
[ERROR] 2019-07-18 07:54:34,720 | /home/frappe/frappe-bench/apps/frappe/frappe/utils/
New Exception collected with id: 2019-07-18 07:54:34.492114-

The log contains the plaintext username and passwords of failed login attempts. Technically this won’t be the actual password, of course, but it might be a trivial misspelling or equivalent.