Toad World® Forums

TDP 4.2.1 has password in the clear in Toad.log


#1

I was looking for something today and happened to open a file Toad.log , in the
\appdata\roaming\quest software\toad data point 4.2 directory.

I noticed a password in the log, in the clear. ouch!

All the entries in that file are Feb 8, none before, none after - but I do not recall what I was doing that day and why. What action causes Toad.log to be written? Did i enable some kind of trace? I just don't remember what I might have been doing or experimenting with that day.

If it helps, the connection type says "HIVE" - but I couldn't guess whether i was using the native hive driver, or the ODBC Hive driver. I do not use the native driver any more, so not sure why I'd be looking at that. All our Hive connections use Kerberos now, and passwords are from Active Directory (AD).

Anyway - this seems like a security exposure that should be looked at. Writing clear passwords in a log file is never a good idea.


#2

Thanks for bringing this to our attention. I am sure our Product Manager and Dev Teams are seeing your write-up, but I will make sure they see it again through our internal channels.


#3

I would like to confirm we have fixed this. Do you still have the log? if so, can you email it to me at debbie.peabody@quest.com? Just edit and XXXXX out the password.

The Toad.log file is only written to when you have added " /log=all" to the command line. Support often would have you add this to get additional information on a reported issue.