Jump to content


Photo

Question about logs

log security

  • Please log in to reply
No replies to this topic

#1 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 05:39 AM
  • LocationRio de Janeiro - Brazil

Posted 27 April 2016 - 02:27 PM

I've seen than in "Manage Server > Help > Logs" , where the Logs list can be found... each one can be read and downloaded, OK so far.

 

The problem is: the generated URL's create a persistent authentication-bypass where anyone with that url can directly read this and other logs (simply varying the incremental number)

 

Example: https://www.mydomain...42c519dcc75a06e

 

I modified the api_key here in this topic on purpose... or else anyone here would be allowed to download my logs. -_-

 

The problem: your browsing URL can be seen in a different number of places (cumulatively):

- Your local computers, by other users

- A network proxy, if you´re accessing from an office (any IT employee there)

- Your ISP, that in other case would not have that kind of information about your server (any IT employee there)

- NSA (everyone there) ;)

 

So... is it possible that the API_KEY will be hidden and a POST header (session-based) used, instead?

 

Thanks!


Edited by anderbytes, 27 April 2016 - 02:30 PM.






Also tagged with one or more of these keywords: log, security

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users