Project

General

Profile

Bug #13207

CVE-2016-7031 rgw: Anonymous user is able to read bucket with authenticated read ACL

Added by Rahul Aggarwal over 1 year ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
09/23/2015
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
hammer
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Release:
hammer
Needs Doc:
No

Description

When "authenticated-read" ACL is applied on a bucket; anonymous user is also able to read (eg. list) the bucket. But as per S3 documentation only authenticated users should be allowed to access the bucket.

For example, using python boto, using the below code, any anonymous user is able to list the bucket using the public url

@
import boto
import requests
import boto.s3.connection
from boto import exception
access_key = '8d52e5231eed4a899220e7e85affd840'
secret_key = '03ad4895c4f9465aa57ff8d116d9eebb'
boto.config.add_section("Boto")
boto.config.set("Boto", "num_retries", "1")
conn = boto.connect_s3(
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,
port=80,
host = 'localhost',
is_secure=True,
calling_format = boto.s3.connection.OrdinaryCallingFormat(),
debug=1
)

bucket = conn.create_bucket("new_cont1")
bucket.set_canned_acl('authenticated-read')
key = bucket.new_key("one")
key.set_contents_from_string("testing bucket level acl")
url = bucket.generate_url(3600)
l = url.split("/")
url = l0 + "/" + "/" + l2 + "/" + l3
r = requests.get(url)
data = r.text
print data
assert (r.status_code == 403)
@

testauthenticatedread.py View (804 Bytes) Rahul Aggarwal, 09/23/2015 10:41 AM


Related issues

Copied to Backport #17150: hammer: rgw: Anonymous user is able to read bucket with authenticated read ACL Resolved

History

#1 Updated by Rahul Aggarwal over 1 year ago

attatching test code

#2 Updated by Loic Dachary over 1 year ago

  • Project changed from Ceph to rgw

#3 Updated by Yehuda Sadeh over 1 year ago

  • Backport set to hammer

PR 6057

#4 Updated by Nathan Cutler over 1 year ago

  • Status changed from New to Need Review

#5 Updated by Nathan Cutler 8 months ago

  • Status changed from Need Review to Pending Backport

https://github.com/ceph/ceph/pull/6057 was merged, but ticket status was not changed. Thanks to Osamu for bringing this to our attention via the ceph-devel mailing list.

#6 Updated by Nathan Cutler 8 months ago

  • Subject changed from Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL to rgw: Anonymous user is able to read bucket with authenticated read ACL

#7 Updated by Loic Dachary 8 months ago

  • Copied to Backport #17150: hammer: rgw: Anonymous user is able to read bucket with authenticated read ACL added

#8 Updated by Ken Dreyer 7 months ago

RH Security team has assigned CVE-2016-7031 to this issue.

#9 Updated by Ken Dreyer 7 months ago

  • Subject changed from rgw: Anonymous user is able to read bucket with authenticated read ACL to CVE-2016-7031 rgw: Anonymous user is able to read bucket with authenticated read ACL

#10 Updated by Nathan Cutler 5 months ago

  • Status changed from Pending Backport to Resolved
  • Needs Doc set to No

Also available in: Atom PDF