Fixed Credential Leakage In Auth API

⭐ Alex ⭐

Well-known member
Affected version
2.2
The Auth API endpoint requires the sensitive info such as username and password, session id, and cookie to be passed as query parameters.

Request URLs get logged in server access logs, which record these credentials plain text into logs that may not even be in the hands of the forum owner.

This is a security concern and data processing issue.

As a solution, the Auth API endpoint should either require to use the request body or header by default, or provide the option to.

(Did not post this in suggestion forums on purpose as they are public.)
 
Generally speaking for endpoints that are POST requests, the assumption is that parameters will be passed in via the request body rather than via a query string. Most HTTP libraries will have systems to handle this for you.

XenForo in general doesn't distinguish where input comes from, though it does have a priority order.
 
Generally speaking for endpoints that are POST requests, the assumption is that parameters will be passed in via the request body rather than via a query string. Most HTTP libraries will have systems to handle this for you.

XenForo in general doesn't distinguish where input comes from, though it does have a priority order.

Do you think XF should reject it in the query string for the Auth endpoint to prevent unknowing developers from passing it that way?


Edit: The content type header must be application/x-www-form-urlencoded if sending via body.

Also, I can't get it to work with request body.

1609699770122.png
1609699866238.png
 
Last edited:
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.4).

Change log:
Adjust Auth::actionPost API documentation to recommend the login/password parameters should be passed into the request body to go along with a general recommendation in our development documentation that this should generally be done for all non-GET requests.
There may be a delay before changes are rolled out to the XenForo Community.
 
Top Bottom