[jira] [Updated] (RANGER-2130) Ranger Admin - client-side control bypass

Sun, 10 Jun 2018 22:08:44 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-2130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-2130:
------------------------------------
    Attachment: Screen Shot 2018-06-11 at 10.36.39 am.png

> Ranger Admin - client-side control bypass
> -----------------------------------------
>
>                 Key: RANGER-2130
>                 URL: https://issues.apache.org/jira/browse/RANGER-2130
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Priority: Major
>         Attachments: Screen Shot 2018-06-11 at 10.36.39 am.png, 
> client_side_controls1.PNG, client_side_controls2.PNG
>
>
> *Risk/Issue summary finding*
> {code:java}
> Client-side Control Bypass (Ranger){code}
> *Risk/Issue summary description/detail*
> {code:java}
> The Apache Ranger application relies on client-side controls to restrict user 
> access to certain information and functionality. A user can bypass these 
> controls (by modifying client-side parameters or directly browsing to 
> specific API requests or resources) to view information without the required 
> authorisation.
> The attached screenshots show the "admin" user bypassing client-side controls 
> to modify their Role from "User" to "Admin". Whilst submitting this request 
> is unsuccessful and will not permanently change the user role, the GUI allows 
> access to sections that were previously hidden.{code}
> *Business impact / attack scenario*
> {code:java}
> Low privilege users with restricted access are able to view information that 
> is not intended for their viewing. As an example, the admin user can bypass 
> client side controls to view configuration details for the HIVE_RANGER_E2E 
> hive object. {code}
> *Recommendation*
> {code:java}
> Do not rely on client-side controls to restrict user access. Ensure that 
> server-side controls are in place to restrict unauthorised access to 
> sensitive information and APIs. {code}
>  
>  In the rangeradmin ui, on the users page, after clicking on a user. If you 
> edit the html on the site (ie in Chrome) you can remove the 'disabled' tag so 
> that the role of User becomes ungreyed out and you can change the role from 
> User to Admin!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to