Open aditya-me13 opened 2 hours ago
This is actually true for logappend
as well. Here the log file log5
was not created before. However the below shown command lead to updation in log4
and a creation of new log file log5
with the same secret, without throwing any error.
The
logread
command runs without errors for two log files at once if the log files share the same secret.In the first three commands below, notice that the log files
log1
andlog2
have the same secret, allowing thelogread
command in the third instance to execute successfully. Ideally, it should only accept one log file to read at a time.However, an error occurs if two log files specified in the
logread
command have different secrets. In this case,log3
andlog4
have secretssecret3
andsecret4
, respectively. Therefore, command 6 throws an error when attempting to read both files simultaneously.This appears to be a functionality issue,however the ability to access two log files at once could lead to security vulnerabilities. Since I have access to all the log files (I can see their names but not their contents, refer image below)
I could theoretically perform a brute force attack to check if the password of my log file matches anyone else's. While this may seem impractical on a smaller scale, the potential for collisions (where two log files share the same secret) increases significantly with larger datasets.
I am still uncertain whether this constitutes a security issue or merely a functionality issue. @bichhawat sir, could you please clarify this?