incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sanjay Tripathi (JIRA)" <>
Subject [jira] [Created] (CLOUDSTACK-819) Create Account/User API logging password in access logs
Date Mon, 07 Jan 2013 11:44:14 GMT
Sanjay Tripathi created CLOUDSTACK-819:

             Summary: Create Account/User API logging password in access logs
                 Key: CLOUDSTACK-819
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: API, UI
            Reporter: Sanjay Tripathi
            Assignee: Sanjay Tripathi

We are also logging passwords for create account/user API in the access logs. Though they
are md5 hashed but the same can be easily used for logging in. 
UI should make a POST call for them instead of a GET.

Below are the access logs for these 2 apis. 

"GET /client/api?command=createAccount&response=json&sessionkey=j%2FQCuPGl8lOy%2BrQFyaVoA7pHrEE%3D&username=n&password=7b8b965ad4bca0e41ab51de7b31363a1&
HTTP/1.1" 200 951 

"GET /client/api?command=createUser&response=json&sessionkey=PU5q1Duy8an1FKxypDk2RYBsYm4%3D&username=m&password=6f8f57715090da2632453988d9a1501b&
HTTP/1.1" 200 302

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message