[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

Thu, 02 Mar 2017 00:56:30 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15891837#comment-15891837
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:
--------------------------------------------

Github user koushik-das commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1865#discussion_r103875741
  
    --- Diff: server/src/com/cloud/api/ApiServer.java ---
    @@ -430,8 +433,27 @@ public void handle(final HttpRequest request, final 
HttpResponse response, final
                 if (!(responseType.equals(HttpUtils.RESPONSE_TYPE_JSON) || 
responseType.equals(HttpUtils.RESPONSE_TYPE_XML))) {
                     responseType = HttpUtils.RESPONSE_TYPE_XML;
                 }
    -
                 try {
    +                //verify that parameter is legit for passing via admin port
    --- End diff --
    
    Check if it makes sense to move this as a separate helper method. There are 
also other places in code that reads the annotation on the API commands and 
parameters. Check if some of them can be reused.


> Unauthenticated API allows Admin password reset
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-9705
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: Anshul Gangwar
>            Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to