Just after doing a installation of Cloudstack 4.1.1
apilog.log was created with the following permissions:
-rw-rw-r--. 1 cloud cloud 95449 Sep 18 01:05 apilog.log
Owner......................rw
Group......................rw
Nobody/everybody....r
Considering what was discussed above this is not good. Anybody with
shell access to the box could possibly get admin login to Cloudstack
if they happen to pull out the correct session information within the
1 hour expire time. Fairly easy if you just run tail -f and grep out
some admin command.
On 13 September 2013 22:14, Ian Duffy <i...@ianduffy.ie> wrote:
>> I haven't tried it yet, but can't I use that info to hijack the session?
>
> You can...
>
> Create a cookie: (please excuse the full stops as spaces, didn't trust it to
> render correctly)
>
> Key............................... Value
> JSESSIONID ................ 7asvmtwoesbc6ia3e4kxtzrl
> sessionKey ................... ec6h46Om8a1y3d%252BhrdIpQ85cAfc%253D
>
> and pass all requests with a parameter of:
> sessionkey = ec6h46Om8a1y3d%2BhrdIpQ85cAfc%3D
>
>> So that api.log file really needs to be protected in the same way a file
>> with a password in it would be
>
> I don't have the manager deployed anywhere to test this but I would hope the
> log file is read/write only to the owner user.
>
>> I would suggest that we just don't log the sessionId or sessionKey.
>
> +1 to that.
>
>
> On 13 September 2013 21:40, Darren Shepherd <darren.s.sheph...@gmail.com>
> wrote:
>>
>> I just noticed api.log which seems to log all the API access in a form
>> like
>>
>> 2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer]
>> (2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 accountId=2
>> sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET
>> command=listZones&response=json&sessionkey=ec6h46Om8a1y3d%2BhrdIpQ85cAfc%3D&_=1379055729422
>> 200 { "listzonesresponse" : { "count":1 ,"zone" : [
>> {"id":"cdaf82f1-3b57-4aa4-b3ce-b60173ed45f2","name":"zone1","dns1":"8.8.8.8","dns2":"8.8.4.4","internaldns1":"8.8.4.4","networktype":"Basic","securitygroupsenabled":true,"allocationstate":"Enabled","zonetoken":"6dce94e8-e8dc-3077-bfde-c6e8594bd449","dhcpprovider":"VirtualRouter","localstorageenabled":false}
>> ] } }
>>
>> The sessionId and sessionKey is logged in the file. I haven't tried it
>> yet, but can't I use that info to hijack the session? That introduces a
>> security issue in that any server operator can now hijack anybody's session.
>> So that api.log file really needs to be protected in the same way a file
>> with a password in it would be.
>>
>> I would suggest that we just don't log the sessionId or sessionKey.
>>
>> Darren
>
>
