Date: Wed, 20 Apr 2016 16:03:08 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-3693: Foreman application information leakage through templates CVE-2016-3693: Foreman application information leakage through template rendering A provisioning template containing `inspect` will expose sensitive information about the Rails controller and application when rendered when using Safemode rendering (the default setting). This includes the application secret token, possibly permitting a privilege escalation when the app is using signed cookies. Thanks to Ivan Necas for reporting the issue. As a precaution, the security token may be regenerated with: chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb foreman-rake security:generate_token chown root /usr/share/foreman/config/initializers/local_secret_token.rb Mitigation: remove edit_provisioning_templates from untrusted users. Affects all known Foreman versions Fix released in Foreman 1.11.1 and safemode 1.2.4 Patches: 1. The safemode gem (https://rubygems.org/gems/safemode) was patched to disallow the inspect instance method: https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f 2. Foreman was patched to use this in https://github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2 More information: http://theforeman.org/security.html#2016-3693 http://projects.theforeman.org/issues/14635 http://theforeman.org/ -- Dominic Cleal dominic@...al.org [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ