You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/16 02:13:27 UTC

[GitHub] [apisix] j4ckzh0u opened a new issue #5070: bug: APISIX默认APIKEY导致出现安全风险

j4ckzh0u opened a new issue #5070:
URL: https://github.com/apache/apisix/issues/5070


   ### Issue description
   
   最近在对APISIX进行安全测试，发现APISIX没有自动化更新APIKEY的流程，通过网络搜索引擎检索使用APISIX的IP，使用默认的APIKEY进行遍历攻击，成功获取了多家公司的APISIX配置信息，其中不乏有敏感配置。
   
   ### Environment
   
   使用的是APISIX2.6， 容器化部署。 但是，这个情况应该是全版本都有。
   
   ### Steps to reproduce
   
   使用下面命令：`curl "http://x.x.x.x/apisix/admin/routes" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -k`
   
   ### Actual result
   
   如果使用了默认的APIKEY，则可以被获取和修改APISIX的配置。
   
   ### Error log
   
   暂无
   
   ### Expected result
   
   [建议(默认安全原则)]
   1、在APISIX的Dashboard上增加默认APIKEY的风险提示；
   2、默认情况下API只能本地(localhost)调用，如果需要外部调用，在Dashboard上打开开关或者修改配置文件，并限定API调用源IP范围。
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] j4ckzh0u commented on issue #5070: bug: APISIX默认APIKEY导致出现安全风险

Posted by GitBox <gi...@apache.org>.

j4ckzh0u commented on issue #5070:
URL: https://github.com/apache/apisix/issues/5070#issuecomment-920525956


   需要提交到dashboard项目，先close。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] j4ckzh0u closed issue #5070: bug: APISIX默认APIKEY导致出现安全风险

Posted by GitBox <gi...@apache.org>.

j4ckzh0u closed issue #5070:
URL: https://github.com/apache/apisix/issues/5070


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org