Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-19-2018 12:43 PM
Warning if you use the test button next to an ldap server the userid and password are stored in clear text in /var/log/apache2/access.log since they are passed in the URL.
Example:
<IP> - - [19/Sep/2018:14:28:22 -0500] "GET /bin/authentication/servers/loginServers.php?_dc=1537385302801&id=1&type=LDAP&action=test&admin_user=<userid>&admin_
password=<password> HTTP/1.1" 200 749
this is on version 1.0.105
09-20-2018 03:24 AM
Hi, Good catch. We will move the request from GET to POST to avoid Apache logs stores the credentials.
<Remember> you are the owner of your Expedition VM and no one else has access to it other than you.
Thanks for let us know and help us to improve Expedition.
09-20-2018 06:13 AM
Not disagreeing it is my expedition server, but if you are doing log forwarding or at a minium whomever has access to the cli has access to the logs until it gets rotated out and deleted. ( I haven't checked the logrotate settings)
Might I also suggest when you change that auth test to a post you also purge the apache2 accept logs or at least the values in those logs?
09-21-2018 11:27 PM
When we move to post the values will not be stored in the logs anymore and by now how you are root you can just remove your logs from
sudo cd /var/log/apache2/ sudo rm -rf access.log* sudo rm -rf error.log*
That will remove all your current logs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
