IT资讯 Apache Ambari 公布任意文件下载漏洞

claus · 2021-02-09 14:00:06 · 热度: 191

近日,Apache 官方公告了一个 Apache Ambari 的任意文件下载漏洞。Ambari 的鉴权模块存在设计缺陷,恶意用户可以绕过身份验证,通过构造文件名以进行目录遍历和下载文件。

此漏洞主要是由于在鉴权过滤器 org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter 中使用了 “String requestURI = httpRequest.getRequestURI();“ 引起。

 @Overridepublic void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;

    String requestURI = httpRequest.getRequestURI();

    SecurityContext context = getSecurityContext();

    Authentication authentication = context.getAuthentication();

    AuditEvent auditEvent = null;
    ....
}

当 Web 服务器处理像访问 “/everyone-has-permission-path/..;/admin-has-permission-path” 这样的路径时,将返回资源 “admin-has-permission-path”, 但是过滤器中的 “httpRequest.getRequestURI()” 将返回路径 “/everyone-has-permission-path/..;/admin-has-permission-path”,因此下面的代码将导致通过匹配的许可:

@Override
  public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException {
    ...
    if (authentication == null || authentication instanceof
AnonymousAuthenticationToken) {
      ...
    }
    if (authentication == null || authentication instanceof
AnonymousAuthenticationToken ||
        !authentication.isAuthenticated()) {
      ...
    } else if (!authorizationPerformedInternally(requestURI)) {
      boolean authorized = false;

      if (requestURI.matches(API_BOOTSTRAP_PATTERN_ALL)) {
        authorized = AuthorizationHelper.isAuthorized(authentication,
            ResourceType.CLUSTER,
            null,
            EnumSet.of(RoleAuthorization.HOST_ADD_DELETE_HOSTS));
      }
      else {
        ...
      }
      ...
    }
    ...
  }

据悉,该漏洞会影响 Ambari 2.6.2.2 及更早版本,升级到更高版本可解决此问题。详细内容可以查看 Apache 公告

猜你喜欢:
暂无回复。
需要 登录 后方可回复, 如果你还没有账号请点击这里 注册