Group: Member
Post Group: Super Member
Posts: 1394
Status:
Open source, web and security passionate
|
Hi,
since more than two year I AM reporting security issue to Webuzo Team and all the time the Security Issue was fixed: this is good.
Also this forum has a security issue because there are log-in on top not secured by SSL. If you want log-in in security you have to click on the link "login" and not login from the forum. This is not the top of the security also because my forum credentials are the same of the Scrofulous license so login should be more secure and always protected but is not.
For me security is very important also in the Webuzo Panel.
There are a new issue introduced with the Logorate function used for reduce the use of the space from the Webuzo Panel.
Reduce the use of the space by the panel is a very great feature but this should not create issues or security weakness.
Logorate seems to be active for all user and from some month also login logs are elaborated once a week, once a week seems the login log file is zipped so all logs will be not visible anymore from the Webuzo Interface... this mean if this job is planned to be on Saturday and you login into Webuzo Sunday or check login logs you will see a empty list or just the login of the day so you feel safe as no one has tried, from the log, to login into the panel... but this is not true... previous logs are only hidden because zip file are not read by the panel.
I have discussed this in private with the support as since a month or more I start to see issue on the login log page because no all log are here.
I think strongly that login log should be excluded from to be zipped or the option to be zipped should be optional and not active by default.
This because:
- for security reason login log should not be erased in a week or without admin know this is done in automatic or you can login on Sunday and see all is ok you think no new login needs to be cheked when this is not true because logorate has deleted the day before.
- no one will check the login log zip file except some hacking has been happen but is too late so I think is much better do the best prevention by keeping log into Webuzo panel. User should really check this page once a week or a month (always better to never check), once the page are checked record should be removed manually.
- if user want save space also on login logs should have options in the panel (optional) to disable this feature (bad idea) or decide to not exlude from logorate (not really a good idea)
The login log is a text file, I do not think this will take much space. Can be maybe erased automatically after 12 month but not in a week also one month will be not enough, auto delete this log or zip as no one will read it is a bad idea.
I think there are no many users that care about login logs page. Webuzo does not provide two step authentication or alert by email so it's a very bad idea decide now to auto delete or archive logs after a week or a month by default for all users.
Since this issue (who seems to be not an issue for Webuzo) has been introduced I loosed the possibility to check Security of login of my VPS because I never goes into zip ... now I AM on mobility and I have issue to connect by SSH SFTP or FTP with mobile connection: port are not allowed so ... I AM very deluded to see this issue and cannot check logs into Webuzo.
I really hope a solution can come, edit just a file into Webuzo will be not the fix because on first update all edits can be loosed and issue come back again.
Also ths file can be edited in the future and if this happen from Webuzo the removed line for the fix will come back again and start to create issue again.
I really hope a solution will be found or developers will re-consider this.It's ok to logorate Webuzo error log and all other elements but not login logs.
I AM asking if WebStats have the same issue... loose statistics because file are logarated zip.
----------------------- PeopleInside
Web, security, open source passionate.
|