Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.
 

Authentication logs in plain text?


#1

Hello,

While testing out LDAP support we discovered that TestRail stores user names and passwords in a plain text file when authentication fails.

I do not think this is good as a simple mis-connect of a domain controller could end up storing valid credentials unencrypted.

Is there a way to comment out auth fail logging? Other solution?


#2

Hello Tony,

Thanks for your posting. This is done by a general error logging routine that captures and logs all POST variables that were submitted with the browser. This is already fixed in our internal build which excludes possible passwords from the log. This fix will also be included in the next TestRail version. I can send you the hot-fix for this via email if you like (it just means replacing a single file in your TestRail installation directory).

Regards,
Tobias


#3

Thanks Tobias,

Yes please. Any idea on when the new version will be out?


#4

Hi Tony,

I’ve just sent you the hotfix via email. It’s not yet clear when we the next update is going to be released, but the next update will also include this fix.

Regards,
Dennis


#5

Just wanted to thank you guys for the quick fix. I updated it and all is well!