cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajesh Battala <rajesh.batt...@citrix.com>
Subject RE: security around api.log
Date Wed, 18 Sep 2013 05:57:18 GMT
If anybody got access to the api.log using the session details we can do execute api's and
cause harm.
But the api.log is present in the mgmt server and if anybody got access to it, he can corrupt
anything. 
Not just accessing api.log, any other services logs and get the data. I feel it's up to admin
how to protect his system and services.

Thanks
Rajesh Battala

-----Original Message-----
From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com] 
Sent: Saturday, September 14, 2013 2:10 AM
To: dev@cloudstack.apache.org
Subject: security around api.log

I just noticed api.log which seems to log all the API access in a form like

2013-09-13 00:02:09,451 INFO  [a.c.c.a.ApiServer]
(2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2
accountId=2 sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET
command=listZones&response=json&sessionkey=ec6h46Om8a1y3d%2BhrdIpQ85cAfc%3D&_=1379055729422
200 { "listzonesresponse" : { "count":1 ,"zone" : [ {"id":"cdaf82f1-3b57-4aa4-b3ce-b60173ed45f2","name":"zone1","dns1":"8.8.8.8","dns2":"8.8.4.4","internaldns1":"8.8.4.4","networktype":"Basic","securitygroupsenabled":true,"allocationstate":"Enabled","zonetoken":"6dce94e8-e8dc-3077-bfde-c6e8594bd449","dhcpprovider":"VirtualRouter","localstorageenabled":false}
] } }

The sessionId and sessionKey is logged in the file.  I haven't tried it yet, but can't I use
that info to hijack the session?  That introduces a security issue in that any server operator
can now hijack anybody's session.  So that api.log file really needs to be protected in the
same way a file with a password in it would be.

I would suggest that we just don't log the sessionId or sessionKey.

Darren

Mime
View raw message