[wix-users] util:XmlFile logging sensitive info

Phill Hogland phill.hogland at rimage.com
Mon Sep 14 13:02:19 PDT 2015


Did you try to add a hidden property of the same name as the deferred action to your MSI?   It has worked for me with other CAs defined in WixExtensions.
<Property Id=' ExecXmlFile' Hidden='yes' />

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Cockerham, Gregory
Sent: Monday, September 14, 2015 1:49 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] util:XmlFile logging sensitive info

Here are the log lines you requested (I scrubbed the sensitive data to protect the innocent). The user creds are buried in the 4th log line below beginning with "Executing op: CustomActionSchedule(Action=ExecXmlFile,ActionType=3073,..."

MSI (s) (2C:D4) [09:35:32:429]: Executing op: ActionStart(Name=ExecXmlFileRollback,,)
MSI (s) (2C:D4) [09:35:32:429]: Executing op: CustomActionSchedule(Action=ExecXmlFileRollback,ActionType=3329,Source=BinaryData,Target=ExecXmlFileRollback,CustomActionData=256?C:\Program Files\CompanyName\i2i Agent\\DeviceCommands.config?|TZT8fK/rJAK4kL5:|QK9Wwq3U4_RHz|k?HObQh8E3{xH|lrC/i4[8(P'|QK'LEhM,mvuIQcn:)YjWC8(A;qJam^3Kvpb?HF5[8(Sm^C/203T3'X?A//B7(C5;TL/'d22K2H'K/@3qHN:JXJ/(7M3K~GxJ/-sHJM at -eqJ4xH[H?R|QK5e5vIu8D.A;B1pK{sxfB.mvuI/)pzGR_FJK?WBLMUv,q3'%^C/56dBGXCw_8l(EZH-C22K+oHxH24FZH0x_3K0HxJ/5o'sG%t[BG1QUIK~J'K/6ckKMDL2M/29'K/9~JiM1LwuI'7I7G1j)uIwlvuItu]8(Sm^C/4RthMbrgF/l8'K/)0hiM{Z'sG%t[BG?5 at kJ-N'K/-sHJM at -eqJ~lcYH3l)]H-+_[HpX?A/ReKCM%m7nKqrw_8l(EZHDh at 4K*)KL/9,0!M{'|QK)_I7G:BqHNz^}oHI]NCM{E'sG%t[BG7/NCM@%*eN--TLM!cMPK,xH[HHu at RK9mncL5o|rJMMC4HwuegM]mgL57X?A/IiVLJg{+rA!boYHcRSsHuW~0C%m7nKqrw_8sX5[Hq+KtI2QzlI3HWXI1BNXI.tkK/(7M3K~GxJ/;{5iM}6fUG/*[[H2|CQKtsf;H,{wJM?]NCM22NCM%m7nKFTzlID%*eNgDf;H;*zD/f,sAGIM^L/|?9-MqX?A/b3lR3U4[8(Sm^C/Ox_3Kvpb?H-C22K8rT.Av at vHM[^ZjK!JPPKE~)|M}o
 h[H[e{ZH8YFCGSlKCM%m7nKs(J!0zRrC/(p!rJjIO{Gb.)(:-F4kLe1uZHkpti8QYTiMTOK142W75):m^C/!9vR34/Z8(Sm^C/vONCM5;TL/'d22K
MSI (s) (2C:D4) [09:35:32:429]: Executing op: ActionStart(Name=ExecXmlFile,,) MSI (s) (2C:D4) [09:35:32:430]: Executing op: CustomActionSchedule(Action=ExecXmlFile,ActionType=3073,Source=BinaryData,Target=ExecXmlFile,CustomActionData=2?0?C:\Program Files\CompanyName\ProductName\\MyProject.exe.config?3?1?/configuration/connectionStrings/add[@name='MyDB']?connectionString?Data Source=.\DBINSTANCE;Initial Catalog=DBNAME;User Id=<userid>;Password=<pwd>?2?0?C:\Program Files\CompanyName\ProductName\\DeviceDataSources.config?3?1?/configuration/connectionStrings/add[@name='sqlServerConnectionString']?connectionString?Data Source=.\DBINSTANCE;Initial Catalog=DBNAME;User Id=<userid2>;Password=<pwd2>?3?1?/configuration/dataSources/dataSource[@name='Property Information DS']/connection?source?C:\Program Files\CompanyName\ProductName\PropertyInfoData.xml?2?0?C:\Program Files\CompanyName\ProductName\\PasswordUpdater.xml?3?1?/Task/Actions/Exec/Command??C:\Program Files\CompanyName\ProductName\PasswordUpdater.exe?2?0?C:\Program Files\CompanyName\ProductName\\Agent.con
 fig?3?1?/configuration/serverConnection/server?address?127.0.0.1?3?1?/configuration/de
MSI (s) (2C:18) [09:35:32:431]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI733A.tmp, Entrypoint: ExecXmlFile MSI (s) (2C:D4) [09:35:32:550]: Executing op: ActionStart(Name=WriteRegistryValues,Description=Writing system registry values,Template=Key: [1], Name: [2], Value: [3]) MSI (s) (2C:D4) [09:35:32:554]: Executing op: ProgressTotal(Total=3,Type=1,ByteEquivalent=13200)


-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Hoover, Jacob
Sent: Monday, September 14, 2015 1:41 PM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] util:XmlFile logging sensitive info

What does your log entries look like (and a few lines before/after the suspect line)?  Looking at the source, I don't see anything in a quick scan that would be logging.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Cockerham, Gregory
Sent: Monday, September 14, 2015 10:08 AM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] util:XmlFile logging sensitive info

Correct, our DB does not use integrated auth. Also, that section of the config file ends up being encrypted, but we have to first capture the info for the connection string during installation, populate the connection string and then encrypt. The problem is the user creds captured during installation, and then inserted by XmlFile, are logged in plain text in the log file. If there is a better solution to tweaking the config file during installation, please let me know, otherwise I need to solution for XmlFile as this is an obvious failure for our security tests.

Thanks.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Hoover, Jacob
Sent: Monday, September 14, 2015 10:53 AM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] util:XmlFile logging sensitive info

If that information is already in plain text form in an XML file, wouldn't it also be considered insecure? A bigger question would be why not use integrated authentication, but I assume you are using a different DB that may not support it, or you're in a client/server relationship without a domain.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Cockerham, Gregory
Sent: Monday, September 14, 2015 9:30 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] util:XmlFile logging sensitive info

I am using util:XmlFile to tweak my DB connection strings, but XmlFile is logging the entire line which includes the user creds, which is not wanted. I know there was a bug (click here<http://wixtoolset.org/issues/3859/>) opened about this issue a while back, but from a disposition standpoint it was marked NotABug and no real solution given (at least not one that was apparent to me). The problem is, I am still seeing the behavior. If there is a solution or workaround, please help.

Thanks,
Greg

This message and any attachments are solely for the use of intended recipients. The information contained herein may include trade secrets, protected health or personal information, privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you are not an intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system. Thank you for your cooperation

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

This message and any attachments are solely for the use of intended recipients. The information contained herein may include trade secrets, protected health or personal information, privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you are not an intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system. Thank you for your cooperation

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

This message and any attachments are solely for the use of intended recipients. The information contained herein may include trade secrets, protected health or personal information, privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you are not an intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system. Thank you for your cooperation

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


More information about the wix-users mailing list