I c. . so the API Key and Signature generation is obsolete as well? -----Original Message----- From: Edison Su [mailto:edison...@citrix.com] Sent: Monday, October 22, 2012 4:16 PM To: cloudstack-dev@incubator.apache.org Subject: RE: API Key and Signature security flaw on CS4 - jenkins build non-oss 137
By default, port 8096 is disabled, and is intended to be without API signature/key check. If the 8096 is turned on by yourself, then somehow, it's up to you how to secure it. > -----Original Message----- > From: Musayev, Ilya [mailto:imusa...@webmd.net] > Sent: Monday, October 22, 2012 1:04 PM > To: cloudstack-dev@incubator.apache.org > Subject: API Key and Signature security flaw on CS4 - jenkins build > non-oss 137 > > I guess I found a not so cool feature/bug which is at this moment is a > major security flaw for locally authenticated ssh use or from another > host on the network . > > The API signature and key are not checked at all - I'm able to run the > commands against API port with any key - and command is executed > without checking the validity of Key/Signature. > > Is this a known bug that may have been addressed or do I need to file > one? > > How do we restrict access to 8096 from another host? Is it done via > iptables or some access rule in tomcat? > > If its iptables we need a deny rule for 8096 from external hosts by > default probably with setup script. > > Thanks > ilya
