Insertion of Sensitive Information into Log File in gotify/server
Sep 26th 2021
On OS level, the authorization token of the user is being logged, with the default docker installation.
Proof of Concept
1; Install the docker version of the software
2; Log in with any user
3; Observe the logs, and the following row is being displayed:
[GIN] 2021/09/26 - 19:34:52 | 200 | 654.694µs | 22.214.171.124 | GET "/stream?token=C6B9MTgeJcaJatJ"
Please take a look at the following screenshot:
A privileged OS layer user is able to impersonate the web application users.
#Recommendation It is recommended to mask these values in the logs.