Information leakage from the error message for user creation

Bug #1321804 reported by michael xin
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Morgan Fainberg
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

When the user creation function tries to create a user name that already exists, the API returns an error message with status code of 409. Unfortunately, the error message contains the SQL statement. It can provide userful information for the attacker.

For example,
POST /v2.0/users HTTP/1.1
Host: 23.253.125.245:35357
Content-Length: 160
Accept-Encoding: gzip, deflate, compress
Accept: application/xml
X-Auth-Token: MIIUxAYJKoZIhvcNAQcCoIIUtTCCFLECAQExDTALBglghkgBZQMEAgEwghMSBgkqhkiG9w0BBwGgghMDBIIS-3siYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTQtMDUtMjFUMTU6MTE6NDUuODMwMjQ1IiwgImV4cGlyZXMiOiAiMjAxNC0wNS0yMVQxNjoxMTo0NVoiLCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJkZXNjcmlwdGlvbiI6IG51bGwsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogImFiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjIvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiOTg2MzcxOTkyMDlhNGYzODliMzcxNGQ1NDM1MWU0ODkiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgImlkIjogIjJmMWZkN2ZjMzRkOTRiYmViMmRiMjliMWMwZDU3MWRkIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6OTY5Ni8ifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibmV0d29yayIsICJuYW1lIjogIm5ldXRyb24ifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjVjMDMxMmY2OTUxYTRkZjk4MWZiZWE1OWU4MGU1NmFjIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJ2b2x1bWV2MiIsICJuYW1lIjogImNpbmRlcnYyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3NC92MyIsICJpZCI6ICI2ZDM1OTM4MWM5NzY0OTA4YjFhZWE3NTA2OGE5OWQ1OSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY29tcHV0ZXYzIiwgIm5hbWUiOiAibm92YXYzIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6MzMzMyIsICJpZCI6ICI5YTYxYTEyYmFiNTk0OWNkYjExMjg3NzM4NWQ0Mzg5MiIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiczMiLCAibmFtZSI6ICJzMyJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjkyOTIiLCAiaWQiOiAiM2NjZGVhZGEzNzJmNGZlZmFlMzFjOTRkZjExNjhjZjMiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImltYWdlIiwgIm5hbWUiOiAiZ2xhbmNlIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzkvdjEuMC9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiYzA5YTNiMTIyZGY3NDg4OGE5OTEyOTg5MDM4NGFkNjYiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiZGF0YWJhc2UiLCAibmFtZSI6ICJ0cm92ZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDAvdjEiLCAiaWQiOiAiMTBiYjNmMTYzZjg1NGZhMThmN2I0NWEyZTM2NmY1ZjQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNsb3VkZm9ybWF0aW9uIiwgIm5hbWUiOiAiaGVhdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzYvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNzNkNzhhYjE4NmUwNGY5OTk1N2I5NzllMjJiZDY1ODQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0FkbWluIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiM2Y3MDM5MDJhODdjNDk3ZWIyMDhmOGQxODVhMzFhZGUiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDQvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNTZiMThhNDZjZGY3NGJiZjhkOWU1MWRmMGM5YTA0Y2MiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9yY2hlc3RyYXRpb24iLCAibmFtZSI6ICJoZWF0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwODAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjhlNjEzMDg2NDA1ODQ1ZTg4MDYzOTU0YWUxZTU2OGM3IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9iamVjdC1zdG9yZSIsICJuYW1lIjogInN3aWZ0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjM1MzU3L3YyLjAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIiwgImlkIjogIjkyZTM3MjNhNzc5MTRmYTdiNGE5OGNhZGRjMGM1M2Y5IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJhZG1pbiIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNWM3YmU3NzgxOTUzNDkwZjhiOTQ2ZjRmYWY3NWM1ZTYiLCAicm9sZXMiOiBbeyJuYW1lIjogIl9tZW1iZXJfIn0sIHsibmFtZSI6ICJoZWF0X3N0YWNrX293bmVyIn0sIHsibmFtZSI6ICJhZG1pbiJ9XSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiLCAiNWRiNThlNTQwZDE4NDdiZWI1MmI3Nzk1ZmMyNzRhODIiLCAiMDRhMGRjY2I3YjNmNGYzNzljNjU3MmZmZmQyMTEyZWIiXX19fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAqEiSYQvpwAotmw3VxjVuQfnpS5B3+8TUQATUQRYlHAK22P41kH9MPzDczP8AgQBSyxGwKuRgAhnwdxU9uFXmXN1wPpC2nL1RjDY4ieYEd6hU0ourqdP2+yt2T7rVh76Sj-9pFx7vCoYGl1vl-H63E4xqrTw5uYE+0AjSdef5OElFsdXUnq4jo1yC-xLCqFxS95oCHYd3g9vnIbg715u4WV+GFHap5QWxYgz4JyT-1Fj9hZJu2hO+erKVnBYsyBUpwU2WFR8GYL+Vsg6QeEE-0mrpgqSC7GQ4W7B2Imgr9A3fezDsdZf8WVuDcsMGbpRAkp0qus2H8q4yHu38H1ZdgA==
User-Agent: python-requests/2.2.1 CPython/2.7.5 Darwin/13.1.0
Content-Type: application/xml

<user OS-KSADM:password="password" <email address hidden>" enabled="true" name="'" xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0" />

Here is the response:
HTTP/1.1 409 Conflict
Vary: X-Auth-Token
Content-Type: application/xml
Content-Length: 638
Date: Wed, 21 May 2014 15:16:16 GMT

<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://docs.openstack.org/identity/api/v2.0" message="Conflict occurred attempting to store user. (IntegrityError) (1062, &quot;Duplicate entry 'default-'' for key 'domain_id'&quot;) 'INSERT INTO user (id, name, domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s, %s, %s, %s, %s)' ('391b7bb762554558be0b90591a5ff826', &quot;'&quot;, 'default', '$6$rounds=40000$wGwbH/0zGyednfRW$VmBXEtaDcThTLskznCC/KnODYXqvSld.xU4z5/DjOieT4iMl5HIbYO.uRB24hj27bDq6daSQ0YGZjdKHhkNFG/', 1, '{&quot;email&quot;: &quot;<email address hidden>&quot;}', None)" code="409" title="Conflict"/>

We should use a generic error message for all errors.

https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@michael xin could you mark one of those two reports ( #1321804 and #1321796 ) as a duplicate of the other ?

Changed in ossa:
status: New → Incomplete
Revision history for this message
michael xin (jqxin2006) wrote :

Thanks. 1321804 and 1321796 are separate issue. One is about user enumeration and another is about improper error handling for user creation.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Sorry, my bad! So...

The advisory task is incomplete pending additional details from security reviewers (keystone-coresec).

Revision history for this message
Dolph Mathews (dolph) wrote :

This behavior is well illustrated in *many* different issues, but I'm failing to find a report asking for it to be fixed - but it obviously should.

One example: https://bugs.launchpad.net/keystone/+bug/1223036

There's no reason to keep this issue private. Furthermore, our SQL schema is far from secretive.

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Thierry Carrez (ttx) wrote :

I agree that given that it is open source, the keystone DB schema is a pretty public thing. The values exposed in the error message correspond to the values passed by the user, so there is no leak there either.

Unless someone objects, I'll remove the security tag and open this bug publicly so that it can be fixed in the open.

Revision history for this message
Dolph Mathews (dolph) wrote :

Although I haven't tested this specific scenario myself, this should also be governed by debug mode keystone.conf. If you disable debug mode, the message should be replaced by an opaque "An unexpected error prevented the server from fulfilling your request." without any further details. If that's true, then this is behaving as intended and this issue can be closed.

Revision history for this message
Dolph Mathews (dolph) wrote :

Working to provide better user feedback for this issue in https://bugs.launchpad.net/keystone/+bug/1322187

Revision history for this message
michael xin (jqxin2006) wrote :

I tried disable debug mode. It still give the message like this:
HTTP/1.1 409 Conflict
Vary: X-Auth-Token
Content-Type: application/xml
Content-Length: 638
Date: Fri, 23 May 2014 18:47:58 GMT

<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://docs.openstack.org/identity/api/v2.0" message="Conflict occurred attempting to store user. (IntegrityError) (1062, &quot;Duplicate entry 'default-'' for key 'domain_id'&quot;) 'INSERT INTO user (id, name, domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s, %s, %s, %s, %s)' ('75615359774d4eae84c1e737409077f7', &quot;'&quot;, 'default', '$6$rounds=40000$c.E9lZDOYx9rlUy1$bsZfBgJi..3MuP9GhNr7n0UPkGO.ofR9IDNYRa/gcOz.XkXvZFbYyXw0FpxNxnyQg6PAttgexAUsHVRH6to.0.', 1, '{&quot;email&quot;: &quot;<email address hidden>&quot;}', None)" code="409" title="Conflict"/>

Revision history for this message
Dolph Mathews (dolph) wrote :

Boo, thanks for confirming, jqxin2006. This definitely needs to be addressed then, but I think it should be done publicly.

Revision history for this message
Thierry Carrez (ttx) wrote :

Agree this is not security-sensitive. Will open publicly unless someone complains.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, public now.

Changed in ossa:
status: Incomplete → Won't Fix
information type: Private Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/98302

Changed in keystone:
assignee: nobody → Morgan Fainberg (mdrnstm)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/98302
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0bc9caae655434b3b79ecf4e9dee6227ac8340b1
Submitter: Jenkins
Branch: master

commit 0bc9caae655434b3b79ecf4e9dee6227ac8340b1
Author: Morgan Fainberg <email address hidden>
Date: Thu Jun 26 09:14:27 2014 -0700

    Do not leak SQL queries in HTTP 409 (conflict)

    Log the exception details for debugging purposes when a SQL conflict
    exception occurs when using the handle_conflicts decorator. Make
    sure the raw sql queries do not get passed back to the end user.

    Change-Id: If1ea528f0f9e486258d73b239015f370de2353ca
    Closes-Bug: #1321804

Changed in keystone:
status: In Progress → Fix Committed
Changed in keystone:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.