[
https://issues.apache.org/jira/browse/RANGER-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Velmurugan Periasamy deleted RANGER-2363:
-----------------------------------------
> [security] Admin webui - Broken Access Control - Vertical Privilege Escalation
> ------------------------------------------------------------------------------
>
> Key: RANGER-2363
> URL: https://issues.apache.org/jira/browse/RANGER-2363
> Project: Ranger
> Issue Type: Bug
> Reporter: t oo
> Priority: Major
>
> "Tag Based Policies" page can be directly accessed whereas tab is not visible
> when logged in with normal user privilege. ie enter this in browser url when
> logged in as non-admin user:
> https://domain:6182/index.html#!/policymanager/tag
>
> |Access control, sometimes called authorization, is how a web application
> grants access to content and functions to some users and not others. These
> checks are performed after authentication, and govern what ‘authorized’ users
> are allowed to do. |
> |The application users have different roles assigned to them, such as Admin
> and User role. One of tab Access Manager shows Tag Based Policies under drop
> down list when logged in with admin privileges but this tab is not visible
> under normal user privilege.
> During testing, it was observed that even though the "Tag Based policies"
> tab was not visible when logged into the application with normal user
> privilege but the same was accessible when directly accessed the link under
> user privilege as shown in below screenshots. Even though the user was not
> able to make any chnages to the TAGs and service connections paramters but
> this was accssible by directly accessing the link which should not be the
> case.
>
>
>
> |Any authenticated non-Site-Admin user can view the Presentation page,
> create/delete Shortcuts, do a Search and view the documents returned by the
> search. Essentially, all users can perform tasks that should be limited to
> Site Admin only, and the roles assigned to them only limit what is visible
> under the main menu. Once an attacker succeeds in logging in, he would be
> able to do the mentioned tasks above, regardless of his current role.
>
> |Check access. Limit what types of users can access the system, and what
> functions and content each of these types of users should be allowed to
> access.
>
> Source: https://www.owasp.org/index.php/Broken_Access_Control|
> |
> |
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
