CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • CIVICRM_SITE_KEY and security question
Pages: [1]

Author Topic: CIVICRM_SITE_KEY and security question  (Read 1327 times)

Erich Schulz

  • I post frequently
  • ***
  • Posts: 142
  • Karma: 5
    • When no-one understands what you are going on about its time to start a blog
  • CiviCRM version: 4.4
  • CMS version: Drupal 7
  • MySQL version: 5.somthing
  • PHP version: 5.3.3
CIVICRM_SITE_KEY and security question
November 22, 2011, 04:57:34 am
hi all - dumb question...

can much harm be done by public release of the CIVICRM_SITE_KEY ?? is it just to protect against denial of service attacks?

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 05:54:01 am
That's one of the two keys needed.

I would change it if it was made public.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 05:59:03 am
To really run anything I think you still need a username and password, but the question is why would you want to make it public? If it was leaked inadvertently, I would change it--it's not hard to change. :)
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 06:21:22 am
Quote from: Hershel on November 22, 2011, 05:59:03 am
To really run anything I think you still need a username and password, but the question is why would you want to make it public? If it was leaked inadvertently, I would change it--it's not hard to change. :)

You can as well run stuff with the user key instead of the username+password. Anyway, change the site key. You can use this one, brand new md5: 04150129a805551b032a583dbf7ea268 :)
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 08:37:41 am
Quote from: xavier on November 22, 2011, 06:21:22 am
You can as well run stuff with the user key instead of the username+password

That's interesting. What things can be done?
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 10:42:00 am
Everything on the rest interface (ie. everything you can do on the api, provided the user having the user key has the permission to do it)

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 10:44:55 am
But you would need the username and password to login in the first place--so really you would need all 3--username, password and site key. No?
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: CIVICRM_SITE_KEY and security question
November 22, 2011, 01:19:40 pm
No

That's a real REST so action=get&entity=contact&key=xxx&api_key=yyy is good enough (provided that the keys are all working), no need to login nor having a cookie.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: CIVICRM_SITE_KEY and security question
November 23, 2011, 03:06:50 am
I see. Thank you.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

Erich Schulz

  • I post frequently
  • ***
  • Posts: 142
  • Karma: 5
    • When no-one understands what you are going on about its time to start a blog
  • CiviCRM version: 4.4
  • CMS version: Drupal 7
  • MySQL version: 5.somthing
  • PHP version: 5.3.3
Re: CIVICRM_SITE_KEY and security question
December 15, 2011, 12:04:35 am
mmm ok... thanks very much I annoint thee both!
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • CIVICRM_SITE_KEY and security question

This forum was archived on 2017-11-26.