I c. . so the API Key and Signature generation is obsolete as well? -----Original Message----- From: Edison Su [mailto:[email protected]] Sent: Monday, October 22, 2012 4:16 PM To: [email protected] Subject: RE: API Key and Signature security flaw on CS4 - jenkins build non-oss 137
By default, port 8096 is disabled, and is intended to be without API signature/key check. If the 8096 is turned on by yourself, then somehow, it's up to you how to secure it. > -----Original Message----- > From: Musayev, Ilya [mailto:[email protected]] > Sent: Monday, October 22, 2012 1:04 PM > To: [email protected] > Subject: API Key and Signature security flaw on CS4 - jenkins build > non-oss 137 > > I guess I found a not so cool feature/bug which is at this moment is a > major security flaw for locally authenticated ssh use or from another > host on the network . > > The API signature and key are not checked at all - I'm able to run the > commands against API port with any key - and command is executed > without checking the validity of Key/Signature. > > Is this a known bug that may have been addressed or do I need to file > one? > > How do we restrict access to 8096 from another host? Is it done via > iptables or some access rule in tomcat? > > If its iptables we need a deny rule for 8096 from external hosts by > default probably with setup script. > > Thanks > ilya
