[jira] [Created] (RANGER-2363) [security] Admin webui - Broken Access Control - Vertical Privilege Escalation

Wed, 13 Mar 2019 08:19:41 -0700 

t oo created RANGER-2363:
----------------------------

             Summary: [security] Admin webui - Broken Access Control - Vertical 
Privilege Escalation
                 Key: RANGER-2363
                 URL: https://issues.apache.org/jira/browse/RANGER-2363
             Project: Ranger
          Issue Type: Bug
          Components: admin, Ranger
    Affects Versions: 1.0.0
            Reporter: t oo


"Tag Based Policies" page can be directly accessed whereas tab is not visible 
when logged in with normal user privilege. ie enter this in browser url when 
logged in as non-admin user: https://domain:6182/index.html#!/policymanager/tag

 
|Access control, sometimes called authorization, is how a web application 
grants access to content and functions to some users and not others. These 
checks are performed after authentication, and govern what ‘authorized’ users 
are allowed to do. |
|The application users have different roles assigned to them, such as Admin and 
User role. One of tab Access Manager shows Tag Based Policies under drop down 
list when logged in with admin privileges but this tab is not visible under 
normal user privilege.
 During testing, it was observed that even though the "Tag Based policies" tab 
was not visible when logged into the application with normal user privilege but 
the same was accessible when directly accessed the link under user privilege as 
shown in below screenshots. Even though the user was not able to make any 
chnages to the TAGs and service connections paramters but this was accssible by 
directly accessing the link which should not be the case.
 
 
 

|Any authenticated non-Site-Admin user can view the Presentation page, 
create/delete Shortcuts, do a Search and view the documents returned by the 
search. Essentially, all users can perform tasks that should be limited to Site 
Admin only, and the roles assigned to them only limit what is visible under the 
main menu. Once an attacker succeeds in logging in, he would be able to do the 
mentioned tasks above, regardless of his current role.
 

|Check access. Limit what types of users can access the system, and what 
functions and content each of these types of users should be allowed to access. 
 
 Source: https://www.owasp.org/index.php/Broken_Access_Control|
|
|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to