ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "t oo (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2130) Ranger Admin - client-side control bypass
Date Sun, 10 Jun 2018 23:20:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

t oo updated RANGER-2130:
-------------------------
    Description: 
*Risk/Issue summary finding*
{code:java}
Client-side Control Bypass (Ranger){code}
*Risk/Issue summary description/detail*
{code:java}
The Apache Ranger application relies on client-side controls to restrict user access to certain
information and functionality. A user can bypass these controls (by modifying client-side
parameters or directly browsing to specific API requests or resources) to view information
without the required authorisation.

The attached screenshots show the "admin" user bypassing client-side controls to modify their
Role from "User" to "Admin". Whilst submitting this request is unsuccessful and will not permanently
change the user role, the GUI allows access to sections that were previously hidden.{code}
*Business impact / attack scenario*
{code:java}
Low privilege users with restricted access are able to view information that is not intended
for their viewing. As an example, the admin user can bypass client side controls to view configuration
details for the HIVE_RANGER_E2E hive object. {code}
*Recommendation*
{code:java}
Do not rely on client-side controls to restrict user access. Ensure that server-side controls
are in place to restrict unauthorised access to sensitive information and APIs. {code}

 
 In the rangeradmin ui, on the users page, after clicking on a user. If you edit the html
on the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User becomes
ungreyed out and you can change the role from User to Admin!

  was:In the rangeradmin ui, on the users page, after clicking on a user. If you edit the
html on the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User
becomes ungreyed out and you can change the role from User to Admin!


> Ranger Admin - client-side control bypass
> -----------------------------------------
>
>                 Key: RANGER-2130
>                 URL: https://issues.apache.org/jira/browse/RANGER-2130
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Priority: Major
>         Attachments: client_side_controls1.PNG, client_side_controls2.PNG
>
>
> *Risk/Issue summary finding*
> {code:java}
> Client-side Control Bypass (Ranger){code}
> *Risk/Issue summary description/detail*
> {code:java}
> The Apache Ranger application relies on client-side controls to restrict user access
to certain information and functionality. A user can bypass these controls (by modifying client-side
parameters or directly browsing to specific API requests or resources) to view information
without the required authorisation.
> The attached screenshots show the "admin" user bypassing client-side controls to modify
their Role from "User" to "Admin". Whilst submitting this request is unsuccessful and will
not permanently change the user role, the GUI allows access to sections that were previously
hidden.{code}
> *Business impact / attack scenario*
> {code:java}
> Low privilege users with restricted access are able to view information that is not intended
for their viewing. As an example, the admin user can bypass client side controls to view configuration
details for the HIVE_RANGER_E2E hive object. {code}
> *Recommendation*
> {code:java}
> Do not rely on client-side controls to restrict user access. Ensure that server-side
controls are in place to restrict unauthorised access to sensitive information and APIs. {code}
>  
>  In the rangeradmin ui, on the users page, after clicking on a user. If you edit the
html on the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User
becomes ungreyed out and you can change the role from User to Admin!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message