Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2130

Ranger Admin - client-side control bypass

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.0.0
    • Fix Version/s: None
    • Component/s: admin
    • Labels:
      None

      Description

      Risk/Issue summary finding

      Client-side Control Bypass (Ranger)

      Risk/Issue summary description/detail

      The Apache Ranger application relies on client-side controls to restrict user access to certain information and functionality. A user can bypass these controls (by modifying client-side parameters or directly browsing to specific API requests or resources) to view information without the required authorisation.
      
      The attached screenshots show the "admin" user bypassing client-side controls to modify their Role from "User" to "Admin". Whilst submitting this request is unsuccessful and will not permanently change the user role, the GUI allows access to sections that were previously hidden.

      Business impact / attack scenario

      Low privilege users with restricted access are able to view information that is not intended for their viewing. As an example, the admin user can bypass client side controls to view configuration details for the HIVE_RANGER_E2E hive object. 

      Recommendation

      Do not rely on client-side controls to restrict user access. Ensure that server-side controls are in place to restrict unauthorised access to sensitive information and APIs. 

      In the rangeradmin ui, on the users page, after clicking on a user. If you edit the html on the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User becomes ungreyed out and you can change the role from User to Admin!

        Attachments

        1. Screen Shot 2018-06-11 at 10.36.39 am.png
          54 kB
          Pradeep Agrawal
        2. client_side_controls2.PNG
          36 kB
          t oo
        3. client_side_controls1.PNG
          30 kB
          t oo
        4. 0001-RANGER-2130.patch
          4 kB
          Nitin Galave

          Issue Links

            Activity

              People

              • Assignee:
                nitin.galave Nitin Galave
                Reporter:
                toopt4 t oo
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: