[wix-users] util:XmlFile logging sensitive info

Hoover, Jacob Jacob.Hoover at greenheck.com
Mon Sep 14 10:40:50 PDT 2015 

What does your log entries look like (and a few lines before/after the suspect line)?  Looking at the source, I don't see anything in a quick scan that would be logging.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Cockerham, Gregory
Sent: Monday, September 14, 2015 10:08 AM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] util:XmlFile logging sensitive info

Correct, our DB does not use integrated auth. Also, that section of the config file ends up being encrypted, but we have to first capture the info for the connection string during installation, populate the connection string and then encrypt. The problem is the user creds captured during installation, and then inserted by XmlFile, are logged in plain text in the log file. If there is a better solution to tweaking the config file during installation, please let me know, otherwise I need to solution for XmlFile as this is an obvious failure for our security tests.

Thanks.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Hoover, Jacob
Sent: Monday, September 14, 2015 10:53 AM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] util:XmlFile logging sensitive info

If that information is already in plain text form in an XML file, wouldn't it also be considered insecure? A bigger question would be why not use integrated authentication, but I assume you are using a different DB that may not support it, or you're in a client/server relationship without a domain.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Cockerham, Gregory
Sent: Monday, September 14, 2015 9:30 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] util:XmlFile logging sensitive info

I am using util:XmlFile to tweak my DB connection strings, but XmlFile is logging the entire line which includes the user creds, which is not wanted. I know there was a bug (click here<http://wixtoolset.org/issues/3859/>) opened about this issue a while back, but from a disposition standpoint it was marked NotABug and no real solution given (at least not one that was apparent to me). The problem is, I am still seeing the behavior. If there is a solution or workaround, please help.

Thanks,
Greg

This message and any attachments are solely for the use of intended recipients. The information contained herein may include trade secrets, protected health or personal information, privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you are not an intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system. Thank you for your cooperation

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

This message and any attachments are solely for the use of intended recipients. The information contained herein may include trade secrets, protected health or personal information, privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you are not an intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system. Thank you for your cooperation

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list