Security Notifications

Use of GET Request Method With Sensitive Query Strings (CWE 598)


Classified as non-critical

Discovery description

A potentially compromised administrator who has access to either the stashcat web server logs or SSL gateway logs as part of his administration function can use them to retrieve the session ID and thus maliciously gain access to someone else’s account.

Assessment of the developer

The manufacturer considers this procedure to be uncritical due to the specific requirements. A user must have access to the client ID and the device ID and must first obtain this data to be able to access it. This is only possible if the foreign user is still logged in on the corresponding device. Device ID and client key are also protected by TLS encryption when sent as GET parameters. Since POST parameters could also be read in the outlined man-in-the-middle scenario, the manufacturer does not consider sending GET parameters to be optimal, but also not critical. A change in behavior has been implemented with version 3.10.

Translated with (free version)