You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Velmurugan Periasamy (JIRA)" <ji...@apache.org> on 2019/03/13 15:26:00 UTC

[jira] [Deleted] (RANGER-2363) [security] Admin webui - Broken Access Control - Vertical Privilege Escalation

     [ https://issues.apache.org/jira/browse/RANGER-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Velmurugan Periasamy deleted RANGER-2363:
-----------------------------------------


> [security] Admin webui - Broken Access Control - Vertical Privilege Escalation
> ------------------------------------------------------------------------------
>
>                 Key: RANGER-2363
>                 URL: https://issues.apache.org/jira/browse/RANGER-2363
>             Project: Ranger
>          Issue Type: Bug
>            Reporter: t oo
>            Priority: Major
>
> "Tag Based Policies" page can be directly accessed whereas tab is not visible when logged in with normal user privilege. ie enter this in browser url when logged in as non-admin user: https://domain:6182/index.html#!/policymanager/tag
>  
> |Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do. |
> |The application users have different roles assigned to them, such as Admin and User role. One of tab Access Manager shows Tag Based Policies under drop down list when logged in with admin privileges but this tab is not visible under normal user privilege.
>  During testing, it was observed that even though the "Tag Based policies" tab was not visible when logged into the application with normal user privilege but the same was accessible when directly accessed the link under user privilege as shown in below screenshots. Even though the user was not able to make any chnages to the TAGs and service connections paramters but this was accssible by directly accessing the link which should not be the case.
>  
>  
>  
> |Any authenticated non-Site-Admin user can view the Presentation page, create/delete Shortcuts, do a Search and view the documents returned by the search. Essentially, all users can perform tasks that should be limited to Site Admin only, and the roles assigned to them only limit what is visible under the main menu. Once an attacker succeeds in logging in, he would be able to do the mentioned tasks above, regardless of his current role.
>  
> |Check access. Limit what types of users can access the system, and what functions and content each of these types of users should be allowed to access. 
>  
>  Source: https://www.owasp.org/index.php/Broken_Access_Control|
> |
> |



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)