Bug #23182
open
AWS v2 signature does not cover essential parts of admin API
Added by Jan-Philipp Litza about 6 years ago.
Updated almost 3 years ago.
Description
The AWS v2 signature only covers the URL without the query string, but the Admin API passes essential parameters in the query string. For example, if I as a legitimate admin send the following request:
PUT /admin/user?format=json&uid=real_user&display-name=Real
a man in the middle could intercept my query and reuse the signature to send the following query
PUT /admin/user?format=json&uid=fake_user&display-name=Hacker&access-key=ABCD0EF12GHIJ2K34LMN&secret-key=0AbCDEFg1h2i34JklM5nop6QrSTUV
Note: I mentioned this to Yehuda last year, but the decision was that the best we could do would be to force the Admin API to use v4 signatures later. We can't protect query parameters in v2 signatures. Alternatively, we could require SSL for AdminAPI.
- Status changed from New to Triaged
@robin, thanks for the clarification; both workarounds would appear acceptable; will discuss upstream; it seems clear that a site can operate the interface securely with appropriate workflow.
- Assignee set to Matt Benjamin
update: upstream guidance is to introduce an option to require AWS_HMAC_SHA256, which defaults to enabled.
Matt
Actually, I'm not sure what made me say "The AWS v2 signature", because apparently other endpoints require signing the query string even with v2 (e.g. /bucket/?lifecycle). Only the Admin API doesn't want the query string to be included in the signed data (and neither the body hash, which other endpoints require, too).
Also available in: Atom
PDF