Fixed Credential Leakage In Auth API

Affected version
2.2

Pawn Studios

Active member
The Auth API endpoint requires the sensitive info such as username and password, session id, and cookie to be passed as query parameters.

Request URLs get logged in server access logs, which record these credentials plain text into logs that may not even be in the hands of the forum owner.

This is a security concern and data processing issue.

As a solution, the Auth API endpoint should either require to use the request body or header by default, or provide the option to.

(Did not post this in suggestion forums on purpose as they are public.)
 

Mike

XenForo developer
Staff member
Generally speaking for endpoints that are POST requests, the assumption is that parameters will be passed in via the request body rather than via a query string. Most HTTP libraries will have systems to handle this for you.

XenForo in general doesn't distinguish where input comes from, though it does have a priority order.
 

Pawn Studios

Active member
Generally speaking for endpoints that are POST requests, the assumption is that parameters will be passed in via the request body rather than via a query string. Most HTTP libraries will have systems to handle this for you.

XenForo in general doesn't distinguish where input comes from, though it does have a priority order.

Do you think XF should reject it in the query string for the Auth endpoint to prevent unknowing developers from passing it that way?


Edit: The content type header must be application/x-www-form-urlencoded if sending via body.

Also, I can't get it to work with request body.

1609699770122.png
1609699866238.png
 
Last edited:

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.4).

Change log:
Adjust Auth::actionPost API documentation to recommend the login/password parameters should be passed into the request body to go along with a general recommendation in our development documentation that this should generally be done for all non-GET requests.
There may be a delay before changes are rolled out to the XenForo Community.
 
Top