Project

General

Profile

RSS access key and security problem

Added by Anh Kỳ Huỳnh almost 16 years ago

Hello all,

Someone who uses Redmine may like to use RSS access key to track the issues' statuses via RSS reader. I think that the problem may be caused here.

Assuming that I join some projects which are private. I may access the issue listing via RSS like this

some_path/projects/redmine/issues?format=atom&key=RSS_KEY

Such accessing may be logged by web server and proxy server. If a black hacker views the access logs he clearly know my RSS access key and he will use that key to know almost everything from my private projects.

I am afraid that using RSS access key will cause security hole.

What do you think about this issue?

PS: sorry for my bad English.


Replies (1)

RE: RSS access key and security problem - Added by Thomas Pihl almost 16 years ago

If he hacks your server for your redmine information he'll probably dump and steal the database instead of reading access log. The password are in config directory.

I don't see this as a problem really.

/T

    (1-1/1)