couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-2221) malformed iterations field in _users doc causes authentication hang
Date Sun, 06 Apr 2014 17:37:15 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-2221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961467#comment-13961467
] 

ASF subversion and git services commented on COUCHDB-2221:
----------------------------------------------------------

Commit 887b42022430b565f82d941042712d43b61761e8 in couchdb's branch refs/heads/2221-bug-validate-auth-params
from [~rnewson]
[ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=887b420 ]

Verify that auth-related properties are well-formed

Passing unexpected values to auth fields can result in server
issues. Notably, setting "iterations" to a string will cause an
infinite loop as the comparison 'when Iteration > Iterations' will
never evaluate to false.

The latest validate_doc_update prevents user docs with this problem
and administrators can deploy that check themselves (and only
administrators can edit design documents).

COUCHDB-2221


> malformed iterations field in _users doc causes authentication hang
> -------------------------------------------------------------------
>
>                 Key: COUCHDB-2221
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2221
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Database Core
>            Reporter: Isaac Z. Schlueter
>            Assignee: Joan Touzet
>
> Create a user account with the following details:
> {
>   "_id":"org.couchdb.user:test-user",
>   "name":"test-user",
>   "password":"this is a test"
>   "roles":[],
>   "type":"user"
> }
> CouchDB will PBKDF2-ify the password in the _users doc.  So far so good.
> Then, try this:
> ubuntu@ip-172-31-35-228:~$ curl http://localhost:5984/_users/org.couchdb.user:test-user
-u "test-user:this is not the correct password" -vvv
> * About to connect() to localhost port 5984 (#0)
> *   Trying 127.0.0.1... connected
> * Server auth using Basic with user 'test-user'
> > GET /_users/org.couchdb.user:test-user HTTP/1.1
> > Authorization: Basic dGVzdHVzZXI6dGhpcyBpcyBub3QgdGhlIGNvcnJlY3QgcGFzc3dvcmQ=
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4
libidn/1.23 librtmp/2.3
> > Host: localhost:15984
> > Accept: */*
> >
> And then it hangs indefinitely.
> This does not happen when the user account uses password_sha.  For example:
> ubuntu@ip-172-31-35-228:~$ curl http://localhost:15984/_users/org.couchdb.user:testuserasdf
-u "testuserasdf:this is not the correct password" -vvv
> * About to connect() to localhost port 15984 (#0)
> *   Trying 127.0.0.1... connected
> * Server auth using Basic with user 'testuserasdf'
> > GET /_users/org.couchdb.user:testuserasdf HTTP/1.1
> > Authorization: Basic dGVzdHVzZXJhc2RmOnRoaXMgaXMgbm90IHRoZSBjb3JyZWN0IHBhc3N3b3Jk
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4
libidn/1.23 librtmp/2.3
> > Host: localhost:15984
> > Accept: */*
> >
> < HTTP/1.1 401 Unauthorized
> < Server: CouchDB/1.5.0 (Erlang OTP/R14B04)
> < Date: Sat, 05 Apr 2014 22:58:54 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 67
> < Cache-Control: must-revalidate
> <
> {"error":"unauthorized","reason":"Name or password is incorrect."}
> * Connection #0 to host localhost left intact
> * Closing connection #0
> This is a serious and urgent problem for npm.
> At the urging of many people in the CouchDB and Node.js community, we've been migrating
users to pbkdf2 accounts.  However, rather than quickly report authorization failures, it
hangs indefinitely, and eventually our TLS terminator returns a 500 or our CDN returns a 503.
> Because the appropriate HTTP response code is not being returned, we cannot hope to properly
handle the situation.  It looks like the server has just fallen over.  Already the user experience
has started to get pretty awful.
> What's worse, I fear that this is a DOS exploit, because it ties up a connection for
a very long time.  The npm registry is somewhat insulated by our CDN, but any CouchDB using
pbkdf2 password storage is vulnerable.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message