[jira] [Commented] (CLOUDSTACK-819) Create Account/User API logging password in access logs

Tue, 08 Jan 2013 20:22:14 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13547617#comment-13547617
 ] 

Sanjay Tripathi commented on CLOUDSTACK-819:
--------------------------------------------

I tested on my local setup and the way I tested is:
Access_log file before and after the change:

-       For createAccount:
           
         o      Before the fix:  "GET 
/client/api?command=createAccount&response=json&sessionkey=k2WFsyfTrCV%2BEemlDpLFuRuB5Sc%3D&username=sanjay&password=5f1c5342818bf8c161d8ff4e18ff1720&email=sanjay%40gmail.com&firstname=sanjay&lastname=t&domainid=6922323e-c466-4185-b527-75b2b07e397a&account=sanjay&accounttype=0&_=1355726068829
 HTTP/1.1" 200 976

         o      After the fix:  "POST 
/client/api?command=createAccount&response=json&sessionkey=k2WFsyfTrCV%2BEemlDpLFuRuB5Sc%3D
 HTTP/1.1" 200 961


-       For createUser:

         o      Before the fix:  "GET 
/client/api?command=createUser&response=json&sessionkey=k2WFsyfTrCV%2BEemlDpLFuRuB5Sc%3D&username=try1&password=9711c44bc923072c69621cd5362de3e2&email=try1%40try.com&firstname=try1&lastname=try1&domainid=6922323e-c466-4185-b527-75b2b07e397a&account=try&accounttype=0&_=1355726605891
 HTTP/1.1" 200 318

         o      After the fix: "POST 
/client/api?command=createUser&response=json&sessionkey=k2WFsyfTrCV%2BEemlDpLFuRuB5Sc%3D
 HTTP/1.1" 200 318

                
> Create Account/User API logging password in access logs
> -------------------------------------------------------
>
>                 Key: CLOUDSTACK-819
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-819
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API, UI
>    Affects Versions: 4.1.0
>            Reporter: Sanjay Tripathi
>            Assignee: Sanjay Tripathi
>             Fix For: 4.1.0
>
>         Attachments: 
> 0001-CLOUDSTACK-819-Create-Account-User-API-logging-passw.patch
>
>
> We are also logging passwords for create account/user API in the access logs. 
> Though they are md5 hashed but the same can be easily used for logging in. 
> UI should make a POST call for them instead of a GET.
> Below are the access logs for these 2 apis. 
> "GET 
> /client/api?command=createAccount&response=json&sessionkey=j%2FQCuPGl8lOy%2BrQFyaVoA7pHrEE%3D&username=n&password=7b8b965ad4bca0e41ab51de7b31363a1&email=n%40cloud.com&firstname=n&lastname=n&domainid=7c02d113-7d29-43a8-98ef-f05f35fb0318&account=n&accounttype=0&_=1355661100566
>  HTTP/1.1" 200 951 
> "GET 
> /client/api?command=createUser&response=json&sessionkey=PU5q1Duy8an1FKxypDk2RYBsYm4%3D&username=m&password=6f8f57715090da2632453988d9a1501b&email=m%40m.com&firstname=m&lastname=m&domainid=7c02d113-7d29-43a8-98ef-f05f35fb0318&account=n&accounttype=0&_=1355666364210
>  HTTP/1.1" 200 302

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to