Activation key creation not protected

Follow
Avatar
Moritz Neikes

The QLM web service api provides a command to create activation keys. It seems that this api call is not protected.

A request like this:
<your qlm web service url>/qlm/qlmservice.asmx/GetActivationKey?is_productid=1&is_majorversion=1&is_minorversion=0&is_qlmversion=5.0.00
will return a fresh, valid activation key in plain text. No kind of authentication seems to be necessary. Therefore anyone who knows the server url would be able to create an activation key, and use this key to unlock our application.

Is there a way to protect this api call?

I'm using Soraco's in-house QLM web hosting, and I followed all instructions in the e-mail that I received after purchase to the best of my knowledge.

Kind regards,
Moritz

0

Comments

3 comments

Sort by Date Votes
  • Official comment
    Avatar
    Soraco Technologies

    Hi Moritz

    Sorry for the late reply. There is a restricted set of methods that can be invoked from a URL such as GetActivationKey.

    These methods are not intended to be called from the application. They are intended to be called from your server.

    You can protect these methods by adding the is_user/is_pwd arguments to the URL. The user/pwd specified as an argument to the URL much match the user/pwd configured in the Commerce Providers section (under the Manage Keys tab).

    It is recommended to set a user/pwd to all Commerce Providers, even the ones you are not using.

    If no is_vendor is specified as an argument to the URL method, a default commerce provider is selected as specified by the defaultVendor setting in the Web Service web.config file.

    For more details, check this article:
    https://soraco.zendesk.com/hc/en-us/articles/201702694-How-to-define-the-user-password-associated-to-an-eCommerce-provider

    Comment actions Permalink
  • Avatar
    Soraco Technologies

    In addition to the above, you can disable these functions as follows (must be using QLM 7.2 or greater):

    • in the QLM Management Console
    • go to Manage Keys
    • click Sites and select your site
    • click the Server Properties tab
    • expand the "security" category
    • uncheck all the methods you would like to disable.
    0
    Comment actions Permalink
  • Avatar
    Moritz Neikes

    Thanks for the update! We'll have a look at these options

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post