Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Apr 2016 16:03:08 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-3693: Foreman application information leakage through
 templates

CVE-2016-3693: Foreman application information leakage through template
rendering

A provisioning template containing `inspect` will expose sensitive
information about the Rails controller and application when rendered
when using Safemode rendering (the default setting). This includes the
application secret token, possibly permitting a privilege escalation
when the app is using signed cookies.

Thanks to Ivan Necas for reporting the issue.

As a precaution, the security token may be regenerated with:

  chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb
  foreman-rake security:generate_token
  chown root /usr/share/foreman/config/initializers/local_secret_token.rb

Mitigation: remove edit_provisioning_templates from untrusted users.

Affects all known Foreman versions
Fix released in Foreman 1.11.1 and safemode 1.2.4

Patches:
1. The safemode gem (https://rubygems.org/gems/safemode) was patched to
disallow the inspect instance method:
https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f
2. Foreman was patched to use this in
https://github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2

More information:
http://theforeman.org/security.html#2016-3693
http://projects.theforeman.org/issues/14635
http://theforeman.org/

-- 
Dominic Cleal
dominic@...al.org



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ