yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1300274] Re: V3 Authentication Chaining - uniqueness of auth method names

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Mon, 07 Apr 2014 14:34:13 -0000
Reply-to: Bug 1300274 <1300274@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ossa
   Importance: Undecided => Medium

** Changed in: ossa
       Status: Incomplete => Confirmed

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1300274

Title:
  V3 Authentication Chaining - uniqueness of auth method names

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  New
Status in OpenStack Security Advisories:
  Confirmed

Bug description:
  In V3.0 API,  we can chain authentication methods. An attacker can
  place the same authentication method multiple times in the methods
  filed. This will result in the same authentication method checking
  over and over (for loop in code).  Using this, an attacker can achieve
  some sorts of Denial of Service.   The methods field is not properly
  sanitized.

  {
     "auth":{
        "identity":{
           "methods":[
              "password",
              "password",
               "password",
               "password",
               "password" 
           ],
          "password":{
              "user":{
                 "domain":{
                    "id":"default"
                 },
                 "name":"demo",
                 "password":"stack"
              }
           }
        }
     }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions

References

[Bug 1300274] [NEW] V3 Authentication Chaining - uniqueness of auth method names
From: Abu Shohel Ahmed, 2014-03-31