In order to resolve our frappe issues, we have to post here our frappe logs.
But I have seen that in those logs, you can read the full text passwords of the system!!
So anyone on the internet can search for it, and break into your valuable erp system!!
It is best to disguise the passwords with stars!!
I am referring to the console output.
Sometimes we need to publish parts of it on the forum, because of errors.
Example:
run install script:
# python install.py --develop --user frappe
command log:
> root@PAVILION:~# python install.py --develop --user frappe
> Please enter mysql root password:
> Please enter the default Administrator user password:
> -- pw: ******
> Passwords saved at ~/passwords.txt
> [WARNING]: Host file not found: /etc/ansible/hosts
> [WARNING]: provided hosts list is empty, only localhost is available
> [WARNING]: Host file not found: /etc/ansible/hosts
> [WARNING]: provided hosts list is empty, only localhost is available
> [WARNING]: Consider using file module with owner rather than running chown
> TASK [Set root Password] *******************************************************
> fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["mysqladmin", "-u", "root", "password", "jshydnajhxjs"], "delta": "0:00:00.023013", "end": "2017-02-13 07:09:58.652810", "failed": true, "rc": 1, "start": "2017-02-13 07:09:58.629797", "stderr": "\u0007mysqladmin: connect to server at 'localhost' failed\nerror: 'Access denied for user 'root'@'localhost' (using password: NO)'", "stdout": "", "stdout_lines": [], "warnings": []}
> ...ignoring
[ERROR] 2019-07-18 07:54:34,491 | /home/frappe/frappe-bench/apps/frappe/frappe/app.py:
Site: ******WEBSITE HERE*******
Form Dict: {
"cmd": "login",
"device": "desktop",
"pwd": "******PLAINTEXT PASSWORD ATTEMPT******",
"usr": "******USER EMAIL*******"
}
Request Error
Traceback (most recent call last):
File "/home/frappe/frappe-bench/apps/frappe/frappe/app.py", line 58, in application
init_request(request)
File "/home/frappe/frappe-bench/apps/frappe/frappe/app.py", line 120, in init_request
frappe.local.http_request = frappe.auth.HTTPRequest()
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 51, in __init__
frappe.local.login_manager = LoginManager()
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 105, in __init__
if self.login()==False: return
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 126, in login
self.authenticate(user=user, pwd=pwd)
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 209, in authenticate
self.check_if_enabled(user)
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 216, in check_if_enabled
check_consecutive_login_attempts(user, doc)
File "/home/frappe/frappe-bench/apps/frappe/frappe/auth.py", line 394, in check_consecutive_login_attempts
.format(doc.allow_login_after_fail), frappe.SecurityException)
File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 353, in throw
msgprint(msg, raise_exception=exc, title=title, indicator='red')
File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 339, in msgprint
_raise_exception()
File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 312, in _raise_exception
raise raise_exception(msg)
SecurityException: Your account has been locked and will resume after 60 seconds
[ERROR] 2019-07-18 07:54:34,720 | /home/frappe/frappe-bench/apps/frappe/frappe/utils/error.py:
New Exception collected with id: 2019-07-18 07:54:34.492114-62.7.71.252-b86
The log contains the plaintext username and passwords of failed login attempts. Technically this won’t be the actual password, of course, but it might be a trivial misspelling or equivalent.