security-doc/security-notes/OSSN-0077
Vincenzo Di Somma 1971945fcc Adding Security Note OSSN-0077
Closes-Bug #1562175

Change-Id: I0f0d2cec9948377c7fc8754a87345d7c4ec4f67c
2016-11-11 19:52:25 +01:00

33 lines
1.3 KiB
Plaintext

Pre-auth COPY in versioned_writes can result in a successful COPY that
wouldn't have been authorized
---
### Summary ###
This issue is related to the versioning feature of swift and potentially
allows unauthorized users to drive up the storage usage of a third party
account.
Specifically a user can create versions of existing objects belonging to
projects for which he has no authorization. The malicious user cannot
read or write the specific object, or create objects with arbitrary content.
### Affected Services / Software ###
Swift < 2.10.0
### Discussion ###
A versioned write PUT uses a pre-authed request to move an object into
the versioned container before checking whether the user is authorized.
So a user can select a versioned object path that it does not have access to,
request a put on that versioned object, and the request will execute the copy
part before it fails due to lack of permissions.
### Recommended Actions ###
Update Swift to version 2.10.0 where possible.
### Contacts / References ###
Author: Vincenzo Di Somma
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0077
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1562175
Mailing List : [Security] tag on openstack-dev@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg