We can provide a way to disable the api.log ?
On 18/09/13 11:27 am, Rajesh Battala rajesh.batt...@citrix.com wrote:
If anybody got access to the api.log using the session details we can do
execute api's and cause harm.
But the api.log is present in the mgmt server and if anybody got access
to
18, 2013 12:33 PM
To: dev@cloudstack.apache.org
Subject: Re: security around api.log
We can provide a way to disable the api.log ?
On 18/09/13 11:27 am, Rajesh Battala rajesh.batt...@citrix.com wrote:
If anybody got access to the api.log using the session details we can
do execute api's
the sensitive details (session details, passwords etc ) and
dump it.
Thanks
Rajesh Battala
-Original Message-
From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com]
Sent: Wednesday, September 18, 2013 12:33 PM
To: dev@cloudstack.apache.org
Subject: Re: security around api.log
We
Just after doing a installation of Cloudstack 4.1.1
apilog.log was created with the following permissions:
-rw-rw-r--. 1 cloud cloud 95449 Sep 18 01:05 apilog.log
Owner..rw
Group..rw
Nobody/everybodyr
Considering what was discussed above this is not
If anybody got access to the api.log using the session details we can do
execute api's and cause harm.
But the api.log is present in the mgmt server and if anybody got access to it,
he can corrupt anything.
Not just accessing api.log, any other services logs and get the data. I feel
it's up to
I haven't tried it yet, but can't I use that info to hijack the session?
You can...
Create a cookie: (please excuse the full stops as spaces, didn't trust it
to render correctly)
Key... Value
JSESSIONID 7asvmtwoesbc6ia3e4kxtzrl
sessionKey