incubator-cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <Alena.Prokharc...@citrix.com>
Subject Re: MS UI - addHost call is a GET and the password of the host goes as cleartext
Date Fri, 20 Jul 2012 17:13:47 GMT
On 7/20/12 10:00 AM, "Nitin Mehta" <Nitin.Mehta@citrix.com> wrote:

>Good point. I think it hasn't been issue so far since it's an admin only
>call but its better to make this POST. But, I am not sure about other
>commands like addVPNUser which are authorized for all the accounts. Are
>they also GET?
>
>-----Original Message-----
>From: Koushik Das [mailto:koushik.das@citrix.com]
>Sent: Friday, July 20, 2012 2:36 AM
>To: cloudstack-users@incubator.apache.org
>Subject: MS UI - addHost call is a GET and the password of the host goes
>as cleartext
>
>The request URL may get logged in Tomcat and that may lead to security
>issues. Any call having such data should be a POST.
>
>Thanks,
>Koushik
>


It shouldnt' matter who is executing the command; this kind of information
should never be logged.

I know that in the management server log file we hide sensitive
information like passwords, sshKeys, etc. When commands are being logged
in api.log, we have to follow the same logic.

-Alena.


Mime
View raw message