⭐ Alex ⭐
Well-known member
- Affected version
- 2.2
The Auth API endpoint requires the sensitive info such as username and password, session id, and cookie to be passed as query parameters.
Request URLs get logged in server access logs, which record these credentials plain text into logs that may not even be in the hands of the forum owner.
This is a security concern and data processing issue.
As a solution, the Auth API endpoint should either require to use the request body or header by default, or provide the option to.
(Did not post this in suggestion forums on purpose as they are public.)
Request URLs get logged in server access logs, which record these credentials plain text into logs that may not even be in the hands of the forum owner.
This is a security concern and data processing issue.
As a solution, the Auth API endpoint should either require to use the request body or header by default, or provide the option to.
(Did not post this in suggestion forums on purpose as they are public.)