近日,Apache 官方公告了一个 Apache Ambari 的任意文件下载漏洞。Ambari 的鉴权模块存在设计缺陷,恶意用户可以绕过身份验证,通过构造文件名以进行目录遍历和下载文件。
此漏洞主要是由于在鉴权过滤器 org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter 中使用了 “String requestURI = httpRequest.getRequestURI();“ 引起。
@Overridepublic void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String requestURI = httpRequest.getRequestURI();
SecurityContext context = getSecurityContext();
Authentication authentication = context.getAuthentication();
AuditEvent auditEvent = null;
....
}
当 Web 服务器处理像访问 “/everyone-has-permission-path/..;/admin-has-permission-path” 这样的路径时,将返回资源 “admin-has-permission-path”, 但是过滤器中的 “httpRequest.getRequestURI()” 将返回路径 “/everyone-has-permission-path/..;/admin-has-permission-path”,因此下面的代码将导致通过匹配的许可:
@Override
public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException {
...
if (authentication == null || authentication instanceof
AnonymousAuthenticationToken) {
...
}
if (authentication == null || authentication instanceof
AnonymousAuthenticationToken ||
!authentication.isAuthenticated()) {
...
} else if (!authorizationPerformedInternally(requestURI)) {
boolean authorized = false;
if (requestURI.matches(API_BOOTSTRAP_PATTERN_ALL)) {
authorized = AuthorizationHelper.isAuthorized(authentication,
ResourceType.CLUSTER,
null,
EnumSet.of(RoleAuthorization.HOST_ADD_DELETE_HOSTS));
}
else {
...
}
...
}
...
}
据悉,该漏洞会影响 Ambari 2.6.2.2 及更早版本,升级到更高版本可解决此问题。详细内容可以查看 Apache 公告。
猜你喜欢:暂无回复。
