I have realized, that this bug is more seriouos than I thought. Landscape provides API, and crucially, while API is using through HTTP requests, all secrets are send via GET parameters, for example (https://landscape.canonical.com/static/doc/api/requests.html): https://landscape.canonical.com/api/
?action=GetComputers&
access_key_id=0GS7553JW74RRM612K02EXAMPLE&
signature_method=HmacSHA256&
signature_version=2&
timestamp=2011-08-18T08%3A07%3A00Z&
version=2011-08-01&
signature=W1TCDh39uBCk9MlaZo941Z8%2BTWqRtdgnbCueBrx%2BtvA%3D
All GET parameters will be shown at /server-status endpoint. The attacker can't create arbitrary API request, because he hasn't API secret key, but he can repeat requests performed by legitimate users within some timeframe.
For example, he can get private information by repeating GetSettings API request, or perform unauthorized actions using RebootComputers API request.
I have realized, that this bug is more seriouos than I thought. Landscape provides API, and crucially, while API is using through HTTP requests, all secrets are send via GET parameters, for example (https:/ /landscape. canonical. com/static/ doc/api/ requests. html): /landscape. canonical. com/api/ GetComputers& key_id= 0GS7553JW74RRM6 12K02EXAMPLE& method= HmacSHA256& version= 2& 2011-08- 18T08%3A07% 3A00Z& 2011-08- 01& W1TCDh39uBCk9Ml aZo941Z8% 2BTWqRtdgnbCueB rx%2BtvA% 3D
https:/
?action=
access_
signature_
signature_
timestamp=
version=
signature=
All GET parameters will be shown at /server-status endpoint. The attacker can't create arbitrary API request, because he hasn't API secret key, but he can repeat requests performed by legitimate users within some timeframe.
For example, he can get private information by repeating GetSettings API request, or perform unauthorized actions using RebootComputers API request.