Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible security issue with ACL clone API #1113

Closed
gmr opened this issue Jul 16, 2015 · 1 comment
Closed

Possible security issue with ACL clone API #1113

gmr opened this issue Jul 16, 2015 · 1 comment
Labels
theme/acls ACL and token generation type/bug Feature does not function as expected

Comments

@gmr
Copy link
Contributor

gmr commented Jul 16, 2015

If ACLs are enabled and an access token is not specified for the request and you make a PUT request to clone an ACL id, instead of getting a 403, Consul will first check to see if the ACL token exists and return a 404 if not.

I would expect that the security would be checked first as it is done with create or destroy.

For example, trying to destroy an invalid token:

"PUT /v1/acl/destroy/b9e6b84d HTTP/1.1" 403 17

But trying to clone an invalid token:

"PUT /v1/acl/clone/6e2acf0c HTTP/1.1" 404 20

An attacker could then try and brute force finding of an access token by issuing the clone request and logging all forbidden responses. Since ACL list provides a 403 error when you are not authorized, I believe the intent is to prevent the token list from being discovered.

This was tested against v0.5.2
@ryanuber
Copy link
Member

Definitely agreed - we should hide token existence from prying eyes. Thanks @gmr!

@ryanuber ryanuber added the type/bug Feature does not function as expected label Jul 17, 2015
@slackpad slackpad added this to the 0.7.4 milestone Nov 22, 2016
@CVTJNII CVTJNII mentioned this issue Jan 5, 2017
Closed
@slackpad slackpad removed this from the Triaged milestone Apr 18, 2017
@slackpad slackpad added the theme/acls ACL and token generation label May 25, 2017
slackpad added a commit that referenced this issue Jul 15, 2017
@slackpad
Changes ACL clone response to 403 if not authorized, or if token does…
efe8fec 
…n't exist.

Fixes #1113
@slackpad slackpad mentioned this issue Jul 15, 2017
Merged
slackpad added a commit that referenced this issue Jul 15, 2017
@slackpad
Changes ACL clone response to 403 if not authorized, or if token does…
872cf9f 
…n't exist. (#3275)

Fixes #1113
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/acls ACL and token generation type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gmr @slackpad @ryanuber