[wix-users] EXT: Re: Password visible in the log file

Griesshammer, Christoph (GE Healthcare) christoph.griesshammer at ge.com
Tue May 5 10:36:37 PDT 2020


You can see this issue is a security issue fixed in 3.10 and greater. We need to request Team Franklin to update to 3.11.

I’m starting the conversation with Cullen now.


From: Edwin Castro <egcastr at gmail.com>
Sent: Tuesday, May 5, 2020 1:34 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Pednekar, Veena (GE Healthcare) <veena.pednekar at ge.com>; Larson, Eric R (GE Healthcare) <Eric.R.Larson at ge.com>; Griesshammer, Christoph (GE Healthcare) <christoph.griesshammer at ge.com>
Subject: EXT: Re: [wix-users] Password visible in the log file

That's a burn command line.

Try <Variable Name="VALIDATE_USERPASSWORD" Hidden="yes" bal:Overridable="yes" /> in your bundle.

Edwin G. Castro

On Tue, May 5, 2020 at 10:28 AM Griesshammer, Christoph (GE Healthcare) via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>> wrote:
I know you had asked me this before. I don't know about any way to hide it without doing the research myself, so I have to request that you please research it.

I'm surprised that if the property is marked hidden, that it would allow burn to output it.

Remember, there's always the WiX email group (wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org><mailto:wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>) that you can try. It's kind of hit or miss as to whether you'll get an answer, but it's worth trying.

Good luck,

From: Pednekar, Veena (GE Healthcare) <veena.pednekar at ge.com<mailto:veena.pednekar at ge.com>>
Sent: Tuesday, May 5, 2020 1:07 PM
To: Larson, Eric R (GE Healthcare) <Eric.R.Larson at ge.com<mailto:Eric.R.Larson at ge.com>>; Griesshammer, Christoph (GE Healthcare) <christoph.griesshammer at ge.com<mailto:christoph.griesshammer at ge.com>>
Subject: Password visible in the log file

Hi Eric, Christoph,

With reference to our previous discussion on hiding the password getting displayed in the log files.

As per Christoph's suggestion making variable hidden helped.

But there is another log (mentioned below) was observed. (Logs attached.)

[1518:08F8][2020-05-04T01:18:49]i001: Burn v3.9.1208.0, Windows v10.0 (Build 14393: Service Pack 0), path: C:\CentricityInstallMedia\Current\AdminDesktop\AdminDesktop\AdminConsoleInstaller.exe, cmdline: '-burn.unelevated BurnPipe.{C00C8865-BB71-4DA6-AD1F-F0C68DFAC670} {D0B793FE-D088-4549-AED9-A3F8FA4B262B} 1596 -quiet -log C:/Support/RadiologyServiceTools/Logs/Admin_Desktop_Install_2020-05-04_011839.log ADDLOCAL="AdminWebServer" VALIDATE_USERNAME="administrator" VALIDATE_USERPASSWORD="LocalAdm1n!" '

Following things tried to remove this:

  1.  Hidden property set to true for VALIDATE_USERPASSWORD
  2.  Removing V(verbose) and I(Status) from MsiLogging property of AdminConsole msi.

Requesting you to suggest anything which can be tried to remove the burn command getting logged.
Will SDF triggers installation with verbose on? Anything which can be updated there.

Thanks and regards,
Veena Pednekar.

WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list