-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
None
- Used netconf-5.0.3 that ships aaa (0.17.6) release.
- Issued a get to netconf-toplogy as follows
curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' --user 'admin:admin' * Trying 172.17.0.2... * TCP_NODELAY set * Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0) * Server auth using Basic with user 'admin' > GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1 > Host: 172.17.0.2:8181 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 200 OK < Set-Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0; Path=/rests; HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Set-Cookie: rememberMe=deleteMe; Path=/rests; Max-Age=0; Expires=Mon, 20-Mar-2023 04:55:46 GMT; SameSite=lax < ETag: "2013-10-21-topology" < Last-Modified: 2023-Mar-21 04:55:46 < Content-Type: application/yang-data+json < Content-Length: 66 < * Connection #0 to host 172.17.0.2 left intact {"network-topology:topology":[{"topology-id":"topology-netconf"}]}
3. In the following request, used the same sesion cookie with wrong username/pass.
curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' --header 'Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0' --user 'admin23:56789' * Trying 172.17.0.2... * TCP_NODELAY set * Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0) * Server auth using Basic with user 'admin23' > GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1 > Host: 172.17.0.2:8181 > Authorization: Basic YWRtaW4yMzo1Njc4OQ== > User-Agent: curl/7.58.0 > Accept: */* > Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0 > < HTTP/1.1 200 OK < ETag: "2013-10-21-topology" < Last-Modified: 2023-Mar-21 05:06:10 < Content-Type: application/yang-data+json < Content-Length: 66 < * Connection #0 to host 172.17.0.2 left intact {"network-topology:topology":[{"topology-id":"topology-netconf"}]}
The GET response was returned. The authorization information was ignored.
The same issue occurs in earlier versions of AAA also.