© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
When using a token to do an AUTH_test, the swift proxy logs the token used if successful, this can lead to possible security issue by granting access to a swift cluster to a person who just has access to the logs. This issue is present when tempAuth authentication flow is used.
The steps to recreate the issue:
1. Install a swift all in one Instance (SAIO).
2. Retrieve admin token from cli using the command inside of an SAIO cluster,
```
swift -A http://
```
3. Retrieve the auth token from CLI and issue the command,
```
curl -i http://
```
The log written to disk when this command is executed has the token AUTH_tk44d4f009
```
Jan 10 21:31:58 ubuntu-xenial proxy-server: STDERR: (28655) accepted ('127.0.0.1', 48506)
Jan 10 21:31:58 ubuntu-xenial proxy-server: User: admin uses token AUTH_tk44d4f009
Jan 10 21:31:58 ubuntu-xenial proxy-server: User admin:admin has reseller admin authorizing. (txn: tx77daa27b44374
Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: (28635) accepted ('127.0.0.1', 46292)
Jan 10 21:31:58 ubuntu-xenial account-6012: 127.0.0.1 - - [10/Jan/
Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: 127.0.0.1 - - [10/Jan/2017 21:31:58] "HEAD /sdb1/802/AUTH_test HTTP/1.1" 204 442 0.002273 (txn: tx77daa27b44374
Jan 10 21:31:58 ubuntu-xenial proxy-server: removed response headers: [('X-Backend-
Jan 10 21:31:58 ubuntu-xenial proxy-server: 127.0.0.1 127.0.0.1 10/Jan/
Jan 10
```
This is part of the swift security testing done as part of OSIC. Kindly comment if this is considered as a security issue in swift. From our perspective, under no circumstance the Auth Token be written to log files as then it can be accessed by a possible third party.