When the user creation function tries to create a user name that already exists, the API returns an error message with status code of 409. Unfortunately, the error message contains the SQL statement. It can provide userful information for the attacker.
For example,
POST /v2.0/users HTTP/1.1
Host: 23.253.125.245:35357
Content-Length: 160
Accept-Encoding: gzip, deflate, compress
Accept: application/xml
X-Auth-Token: MIIUxAYJKoZIhvcNAQcCoIIUtTCCFLECAQExDTALBglghkgBZQMEAgEwghMSBgkqhkiG9w0BBwGgghMDBIIS-3siYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTQtMDUtMjFUMTU6MTE6NDUuODMwMjQ1IiwgImV4cGlyZXMiOiAiMjAxNC0wNS0yMVQxNjoxMTo0NVoiLCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJkZXNjcmlwdGlvbiI6IG51bGwsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogImFiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjIvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiOTg2MzcxOTkyMDlhNGYzODliMzcxNGQ1NDM1MWU0ODkiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgImlkIjogIjJmMWZkN2ZjMzRkOTRiYmViMmRiMjliMWMwZDU3MWRkIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6OTY5Ni8ifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibmV0d29yayIsICJuYW1lIjogIm5ldXRyb24ifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjVjMDMxMmY2OTUxYTRkZjk4MWZiZWE1OWU4MGU1NmFjIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJ2b2x1bWV2MiIsICJuYW1lIjogImNpbmRlcnYyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3NC92MyIsICJpZCI6ICI2ZDM1OTM4MWM5NzY0OTA4YjFhZWE3NTA2OGE5OWQ1OSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY29tcHV0ZXYzIiwgIm5hbWUiOiAibm92YXYzIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6MzMzMyIsICJpZCI6ICI5YTYxYTEyYmFiNTk0OWNkYjExMjg3NzM4NWQ0Mzg5MiIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiczMiLCAibmFtZSI6ICJzMyJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjkyOTIiLCAiaWQiOiAiM2NjZGVhZGEzNzJmNGZlZmFlMzFjOTRkZjExNjhjZjMiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImltYWdlIiwgIm5hbWUiOiAiZ2xhbmNlIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzkvdjEuMC9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiYzA5YTNiMTIyZGY3NDg4OGE5OTEyOTg5MDM4NGFkNjYiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiZGF0YWJhc2UiLCAibmFtZSI6ICJ0cm92ZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDAvdjEiLCAiaWQiOiAiMTBiYjNmMTYzZjg1NGZhMThmN2I0NWEyZTM2NmY1ZjQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNsb3VkZm9ybWF0aW9uIiwgIm5hbWUiOiAiaGVhdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzYvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNzNkNzhhYjE4NmUwNGY5OTk1N2I5NzllMjJiZDY1ODQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0FkbWluIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiM2Y3MDM5MDJhODdjNDk3ZWIyMDhmOGQxODVhMzFhZGUiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDQvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNTZiMThhNDZjZGY3NGJiZjhkOWU1MWRmMGM5YTA0Y2MiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9yY2hlc3RyYXRpb24iLCAibmFtZSI6ICJoZWF0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwODAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjhlNjEzMDg2NDA1ODQ1ZTg4MDYzOTU0YWUxZTU2OGM3IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9iamVjdC1zdG9yZSIsICJuYW1lIjogInN3aWZ0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjM1MzU3L3YyLjAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIiwgImlkIjogIjkyZTM3MjNhNzc5MTRmYTdiNGE5OGNhZGRjMGM1M2Y5IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJhZG1pbiIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNWM3YmU3NzgxOTUzNDkwZjhiOTQ2ZjRmYWY3NWM1ZTYiLCAicm9sZXMiOiBbeyJuYW1lIjogIl9tZW1iZXJfIn0sIHsibmFtZSI6ICJoZWF0X3N0YWNrX293bmVyIn0sIHsibmFtZSI6ICJhZG1pbiJ9XSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiLCAiNWRiNThlNTQwZDE4NDdiZWI1MmI3Nzk1ZmMyNzRhODIiLCAiMDRhMGRjY2I3YjNmNGYzNzljNjU3MmZmZmQyMTEyZWIiXX19fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAqEiSYQvpwAotmw3VxjVuQfnpS5B3+8TUQATUQRYlHAK22P41kH9MPzDczP8AgQBSyxGwKuRgAhnwdxU9uFXmXN1wPpC2nL1RjDY4ieYEd6hU0ourqdP2+yt2T7rVh76Sj-9pFx7vCoYGl1vl-H63E4xqrTw5uYE+0AjSdef5OElFsdXUnq4jo1yC-xLCqFxS95oCHYd3g9vnIbg715u4WV+GFHap5QWxYgz4JyT-1Fj9hZJu2hO+erKVnBYsyBUpwU2WFR8GYL+Vsg6QeEE-0mrpgqSC7GQ4W7B2Imgr9A3fezDsdZf8WVuDcsMGbpRAkp0qus2H8q4yHu38H1ZdgA==
User-Agent: python-requests/2.2.1 CPython/2.7.5 Darwin/13.1.0
Content-Type: application/xml
<user OS-KSADM:password="password" <email address hidden>" enabled="true" name="'" xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0" />
Here is the response:
HTTP/1.1 409 Conflict
Vary: X-Auth-Token
Content-Type: application/xml
Content-Length: 638
Date: Wed, 21 May 2014 15:16:16 GMT
<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://docs.openstack.org/identity/api/v2.0" message="Conflict occurred attempting to store user. (IntegrityError) (1062, "Duplicate entry 'default-'' for key 'domain_id'") 'INSERT INTO user (id, name, domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s, %s, %s, %s, %s)' ('391b7bb762554558be0b90591a5ff826', "'", 'default', '$6$rounds=40000$wGwbH/0zGyednfRW$VmBXEtaDcThTLskznCC/KnODYXqvSld.xU4z5/DjOieT4iMl5HIbYO.uRB24hj27bDq6daSQ0YGZjdKHhkNFG/', 1, '{"email": "<email address hidden>"}', None)" code="409" title="Conflict"/>
We should use a generic error message for all errors.
https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling
@michael xin could you mark one of those two reports ( #1321804 and #1321796 ) as a duplicate of the other ?