I've seen than in "Manage Server > Help > Logs" , where the Logs list can be found... each one can be read and downloaded, OK so far.
The problem is: the generated URL's create a persistent authentication-bypass where anyone with that url can directly read this and other logs (simply varying the incremental number)
I modified the api_key here in this topic on purpose... or else anyone here would be allowed to download my logs.
The problem: your browsing URL can be seen in a different number of places (cumulatively):
- Your local computers, by other users
- A network proxy, if you´re accessing from an office (any IT employee there)
- Your ISP, that in other case would not have that kind of information about your server (any IT employee there)
- NSA (everyone there)
So... is it possible that the API_KEY will be hidden and a POST header (session-based) used, instead?
Edited by anderbytes, 27 April 2016 - 02:30 PM.