, 2013 2:10 AM
To: dev@cloudstack.apache.org
Subject: security around api.log
I just noticed api.log which seems to log all the API access in a form
like
2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer]
(2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2
accountId=2 sessionId
18, 2013 12:33 PM
To: dev@cloudstack.apache.org
Subject: Re: security around api.log
We can provide a way to disable the api.log ?
On 18/09/13 11:27 am, Rajesh Battala rajesh.batt...@citrix.com wrote:
If anybody got access to the api.log using the session details we can
do execute api's
the sensitive details (session details, passwords etc ) and
dump it.
Thanks
Rajesh Battala
-Original Message-
From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com]
Sent: Wednesday, September 18, 2013 12:33 PM
To: dev@cloudstack.apache.org
Subject: Re: security around api.log
We
Just after doing a installation of Cloudstack 4.1.1
apilog.log was created with the following permissions:
-rw-rw-r--. 1 cloud cloud 95449 Sep 18 01:05 apilog.log
Owner..rw
Group..rw
Nobody/everybodyr
Considering what was discussed above this is not
to admin how to protect his system and services.
Thanks
Rajesh Battala
-Original Message-
From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com]
Sent: Saturday, September 14, 2013 2:10 AM
To: dev@cloudstack.apache.org
Subject: security around api.log
I just noticed api.log which seems
I just noticed api.log which seems to log all the API access in a form like
2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer]
(2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2
accountId=2 sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET
I haven't tried it yet, but can't I use that info to hijack the session?
You can...
Create a cookie: (please excuse the full stops as spaces, didn't trust it
to render correctly)
Key... Value
JSESSIONID 7asvmtwoesbc6ia3e4kxtzrl
sessionKey