If anybody got access to the api.log using the session details we can do execute api's and cause harm. But the api.log is present in the mgmt server and if anybody got access to it, he can corrupt anything. Not just accessing api.log, any other services logs and get the data. I feel it's up to admin how to protect his system and services.
Thanks Rajesh Battala -----Original Message----- From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com] Sent: Saturday, September 14, 2013 2:10 AM To: dev@cloudstack.apache.org Subject: security around api.log I just noticed api.log which seems to log all the API access in a form like 2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer] (2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 accountId=2 sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET command=listZones&response=json&sessionkey=ec6h46Om8a1y3d%2BhrdIpQ85cAfc%3D&_=1379055729422 200 { "listzonesresponse" : { "count":1 ,"zone" : [ {"id":"cdaf82f1-3b57-4aa4-b3ce-b60173ed45f2","name":"zone1","dns1":"8.8.8.8","dns2":"8.8.4.4","internaldns1":"8.8.4.4","networktype":"Basic","securitygroupsenabled":true,"allocationstate":"Enabled","zonetoken":"6dce94e8-e8dc-3077-bfde-c6e8594bd449","dhcpprovider":"VirtualRouter","localstorageenabled":false} ] } } The sessionId and sessionKey is logged in the file. I haven't tried it yet, but can't I use that info to hijack the session? That introduces a security issue in that any server operator can now hijack anybody's session. So that api.log file really needs to be protected in the same way a file with a password in it would be. I would suggest that we just don't log the sessionId or sessionKey. Darren
