• cron@feddit.org
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 month ago

    Just one open source example … freeradius has an option to log passwords:

    log {
        destination = files
        auth = no
        auth_badpass = no
        auth_goodpass = no
    }
    

    Or another example: The apache web server has a module that dumps all POST data, with passwords, in plain text:

    mod_dumpio allows for the logging of all input received by Apache and/or all output sent by Apache to be logged (dumped) to the error.log file. The data logging is done right after SSL decoding (for input) and right before SSL encoding (for output). As can be expected, this can produce extreme volumes of data, and should only be used when debugging problems.

    I don’t agree that this is “absolutely malice”, it could also be stupidity and forgetfulness.