** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => juno-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1321804
Title:
Information leakage from the error message for user creation
Status in OpenStack Identity (Keystone):
Fix Released
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
When the user creation function tries to create a user name that
already exists, the API returns an error message with status code of
409. Unfortunately, the error message contains the SQL statement. It
can provide userful information for the attacker.
For example,
POST /v2.0/users HTTP/1.1
Host: 23.253.125.245:35357
Content-Length: 160
Accept-Encoding: gzip, deflate, compress
Accept: application/xml
X-Auth-Token:
MIIUxAYJKoZIhvcNAQcCoIIUtTCCFLECAQExDTALBglghkgBZQMEAgEwghMSBgkqhkiG9w0BBwGgghMDBIIS-3siYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTQtMDUtMjFUMTU6MTE6NDUuODMwMjQ1IiwgImV4cGlyZXMiOiAiMjAxNC0wNS0yMVQxNjoxMTo0NVoiLCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJkZXNjcmlwdGlvbiI6IG51bGwsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogImFiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjIvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiOTg2MzcxOTkyMDlhNGYzODliMzcxNGQ1NDM1MWU0ODkiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My
4xMjUuMjQ1Ojk2OTYvIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgImlkIjogIjJmMWZkN2ZjMzRkOTRiYmViMmRiMjliMWMwZDU3MWRkIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6OTY5Ni8ifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibmV0d29yayIsICJuYW1lIjogIm5ldXRyb24ifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjVjMDMxMmY2OTUxYTRkZjk4MWZiZWE1OWU4MGU1NmFjIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJ2b2x1bWV2MiIsICJuYW1lIjogImNpbmRlcnYyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3NC9
2MyIsICJpZCI6ICI2ZDM1OTM4MWM5NzY0OTA4YjFhZWE3NTA2OGE5OWQ1OSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY29tcHV0ZXYzIiwgIm5hbWUiOiAibm92YXYzIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6MzMzMyIsICJpZCI6ICI5YTYxYTEyYmFiNTk0OWNkYjExMjg3NzM4NWQ0Mzg5MiIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiczMiLCAibmFtZSI6ICJzMyJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjkyOTIiLCAiaWQiOiAiM2NjZGVhZGEzNzJmNGZlZmFlMzFjOTRkZjExNjhjZjMiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImltYWdlIiwgIm5hbWUiOiAiZ2xhbmNlIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3
NzkvdjEuMC9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiYzA5YTNiMTIyZGY3NDg4OGE5OTEyOTg5MDM4NGFkNjYiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiZGF0YWJhc2UiLCAibmFtZSI6ICJ0cm92ZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDAvdjEiLCAiaWQiOiAiMTBiYjNmMTYzZjg1NGZhMThmN2I0NWEyZTM2NmY1ZjQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNsb3VkZm9ybWF0aW9uIiwgIm5hbWUiOiAiaGVhdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuY
WxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzYvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNzNkNzhhYjE4NmUwNGY5OTk1N2I5NzllMjJiZDY1ODQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0FkbWluIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiM2Y3MDM5MDJhODdjNDk3ZWIyMDhmOGQxODVhMzFhZGUiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDQvdjEvYWJhMTRmZmNmNjM4NDVhZT
gzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNTZiMThhNDZjZGY3NGJiZjhkOWU1MWRmMGM5YTA0Y2MiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9yY2hlc3RyYXRpb24iLCAibmFtZSI6ICJoZWF0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwODAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjhlNjEzMDg2NDA1ODQ1ZTg4MDYzOTU0YWUxZTU2OGM3IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9iamVjdC1zdG9yZSIsICJuYW1lIjogInN3aWZ0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjM1MzU3L3YyLjAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIiwgImlkIjogIjkyZTM3MjNhNzc5MTRmYTdiNGE5OGNhZGRjMGM1M2Y5IiwgInB
1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJhZG1pbiIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNWM3YmU3NzgxOTUzNDkwZjhiOTQ2ZjRmYWY3NWM1ZTYiLCAicm9sZXMiOiBbeyJuYW1lIjogIl9tZW1iZXJfIn0sIHsibmFtZSI6ICJoZWF0X3N0YWNrX293bmVyIn0sIHsibmFtZSI6ICJhZG1pbiJ9XSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiLCAiNWRiNThlNTQwZDE4NDdiZWI1MmI3Nzk1ZmMyNzRhODIiLCAiMDRhMGRjY2I3YjNmNGYzNzljNjU3MmZmZmQyMTEyZWIiXX19fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAqEiSYQvpwAotmw3VxjVuQfnpS5B3+8TUQATUQRYlHAK22P41kH9MPzDczP8AgQBSyxGwKuRgAhnwdxU9uFXmXN1wPpC2nL1RjDY4ieYEd6hU0ourqdP2+yt2T7rVh76Sj-9pFx7vCoYGl1vl-H63E4xqrTw5uYE+0AjSdef5OElFsdXUnq4jo1yC-xLCqFxS95oCHYd3g9vnIbg715u4
WV+GFHap5QWxYgz4JyT-1Fj9hZJu2hO+erKVnBYsyBUpwU2WFR8GYL+Vsg6QeEE-0mrpgqSC7GQ4W7B2Imgr9A3fezDsdZf8WVuDcsMGbpRAkp0qus2H8q4yHu38H1ZdgA==
User-Agent: python-requests/2.2.1 CPython/2.7.5 Darwin/13.1.0
Content-Type: application/xml
<user OS-KSADM:password="password" email="[email protected]"
enabled="true" name="'" xmlns:OS-
KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"; />
Here is the response:
HTTP/1.1 409 Conflict
Vary: X-Auth-Token
Content-Type: application/xml
Content-Length: 638
Date: Wed, 21 May 2014 15:16:16 GMT
<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://docs.openstack.org/identity/api/v2.0"; message="Conflict
occurred attempting to store user. (IntegrityError) (1062, "Duplicate
entry 'default-'' for key 'domain_id'") 'INSERT INTO user (id, name,
domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s,
%s, %s, %s, %s)' ('391b7bb762554558be0b90591a5ff826', "'", 'default',
'$6$rounds=40000$wGwbH/0zGyednfRW$VmBXEtaDcThTLskznCC/KnODYXqvSld.xU4z5/DjOieT4iMl5HIbYO.uRB24hj27bDq6daSQ0YGZjdKHhkNFG/',
1, '{"email": "[email protected]"}', None)" code="409"
title="Conflict"/>
We should use a generic error message for all errors.
https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1321804/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
