incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sanjay Tripathi (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-819) Create Account/User API logging password in access logs
Date Mon, 07 Jan 2013 11:54:12 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sanjay Tripathi resolved CLOUDSTACK-819.
----------------------------------------

    Resolution: Fixed
    
> Create Account/User API logging password in access logs
> -------------------------------------------------------
>
>                 Key: CLOUDSTACK-819
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-819
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API, UI
>            Reporter: Sanjay Tripathi
>            Assignee: Sanjay Tripathi
>
> We are also logging passwords for create account/user API in the access logs. Though
they are md5 hashed but the same can be easily used for logging in. 
> UI should make a POST call for them instead of a GET.
> Below are the access logs for these 2 apis. 
> "GET /client/api?command=createAccount&response=json&sessionkey=j%2FQCuPGl8lOy%2BrQFyaVoA7pHrEE%3D&username=n&password=7b8b965ad4bca0e41ab51de7b31363a1&email=n%40cloud.com&firstname=n&lastname=n&domainid=7c02d113-7d29-43a8-98ef-f05f35fb0318&account=n&accounttype=0&_=1355661100566
HTTP/1.1" 200 951 
> "GET /client/api?command=createUser&response=json&sessionkey=PU5q1Duy8an1FKxypDk2RYBsYm4%3D&username=m&password=6f8f57715090da2632453988d9a1501b&email=m%40m.com&firstname=m&lastname=m&domainid=7c02d113-7d29-43a8-98ef-f05f35fb0318&account=n&accounttype=0&_=1355666364210
HTTP/1.1" 200 302

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message