Insertion of Sensitive Information into Log File in gotify/server

Valid

Reported on

Sep 26th 2021

Description

On OS level, the authorization token of the user is being logged, with the default docker installation.

1; Install the docker version of the software

2; Log in with any user

3; Observe the logs, and the following row is being displayed:

[GIN] 2021/09/26 - 19:34:52 | 200 | 654.694µs | 89.135.196.67 | GET "/stream?token=C6B9MTgeJcaJatJ"

Please take a look at the following screenshot:

alt text

A privileged OS layer user is able to impersonate the web application users.

#Recommendation It is recommended to mask these values in the logs.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the gotify/server team and are waiting to hear back 2 years ago

A gotify/server maintainer validated this vulnerability 2 years ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

A gotify/server maintainer marked this as fixed with commit 8affec 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation