details (session details, passwords etc ) and
> dump it.
>
> Thanks
> Rajesh Battala
>
> -Original Message-
> From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com]
> Sent: Wednesday, September 18, 2013 12:33 PM
> To: dev@cloudstack.apache.org
> Subject:
18, 2013 12:33 PM
To: dev@cloudstack.apache.org
Subject: Re: security around api.log
We can provide a way to disable the api.log ?
On 18/09/13 11:27 am, "Rajesh Battala" wrote:
>If anybody got access to the api.log using the session details we can
>do execute api's and
We can provide a way to disable the api.log ?
On 18/09/13 11:27 am, "Rajesh Battala" wrote:
>If anybody got access to the api.log using the session details we can do
>execute api's and cause harm.
>But the api.log is present in the mgmt server and if anybody got access
>to it, he can corrupt any
If anybody got access to the api.log using the session details we can do
execute api's and cause harm.
But the api.log is present in the mgmt server and if anybody got access to it,
he can corrupt anything.
Not just accessing api.log, any other services logs and get the data. I feel
it's up to
Just after doing a installation of Cloudstack 4.1.1
apilog.log was created with the following permissions:
-rw-rw-r--. 1 cloud cloud 95449 Sep 18 01:05 apilog.log
Owner..rw
Group..rw
Nobody/everybodyr
Considering what was discussed above this is not
> I haven't tried it yet, but can't I use that info to hijack the session?
You can...
Create a cookie: (please excuse the full stops as spaces, didn't trust it
to render correctly)
Key... Value
JSESSIONID 7asvmtwoesbc6ia3e4kxtzrl
sessionKey .
