When using full pam conversations and "log authentication failures to syslog" checked, I would occasionally have a failed login and the password would be logged to syslog as if it was the username. The log message has been purged, but I recall is at "invalid user xxx" where xxx was the password of the user attempting to log in.
I haven't looked closely at the code yet, but it appears that the session code was getting confused. This happens when using IE 6.0 under Windows 2000. Sessions occasionally get messed up anyway, so this may be more of a cookie handling problem with IE than a specific pam issue. I'm inclined to beleive it's a session issue, as the username and password pair were correct. I can not replicate the problem, but when it happens, it consistently happens until miniserv is restarted - then the problem goes away.
I think the password exposure could be avoided by including a hidden field in the form noting what is actually being asked for, and possibly one tracking the username (if it's possible to definitvely identify the username in all cases)...
Log in to post a comment.