Bug #23182
openAWS v2 signature does not cover essential parts of admin API
0%
Description
The AWS v2 signature only covers the URL without the query string, but the Admin API passes essential parameters in the query string. For example, if I as a legitimate admin send the following request:
PUT /admin/user?format=json&uid=real_user&display-name=Real
a man in the middle could intercept my query and reuse the signature to send the following query
PUT /admin/user?format=json&uid=fake_user&display-name=Hacker&access-key=ABCD0EF12GHIJ2K34LMN&secret-key=0AbCDEFg1h2i34JklM5nop6QrSTUV
Updated by Robin Johnson about 6 years ago
Note: I mentioned this to Yehuda last year, but the decision was that the best we could do would be to force the Admin API to use v4 signatures later. We can't protect query parameters in v2 signatures. Alternatively, we could require SSL for AdminAPI.
Updated by Matt Benjamin about 6 years ago
- Status changed from New to Triaged
@robin, thanks for the clarification; both workarounds would appear acceptable; will discuss upstream; it seems clear that a site can operate the interface securely with appropriate workflow.
Updated by Matt Benjamin about 6 years ago
update: upstream guidance is to introduce an option to require AWS_HMAC_SHA256, which defaults to enabled.
Matt
Updated by Jan-Philipp Litza almost 3 years ago
Actually, I'm not sure what made me say "The AWS v2 signature", because apparently other endpoints require signing the query string even with v2 (e.g. /bucket/?lifecycle
). Only the Admin API doesn't want the query string to be included in the signed data (and neither the body hash, which other endpoints require, too).