Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <57179A2C.5030007@cleal.org>
Date: Wed, 20 Apr 2016 16:03:08 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-3693: Foreman application information leakage through
 templates

CVE-2016-3693: Foreman application information leakage through template
rendering

A provisioning template containing `inspect` will expose sensitive
information about the Rails controller and application when rendered
when using Safemode rendering (the default setting). This includes the
application secret token, possibly permitting a privilege escalation
when the app is using signed cookies.

Thanks to Ivan Necas for reporting the issue.

As a precaution, the security token may be regenerated with:

  chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb
  foreman-rake security:generate_token
  chown root /usr/share/foreman/config/initializers/local_secret_token.rb

Mitigation: remove edit_provisioning_templates from untrusted users.

Affects all known Foreman versions
Fix released in Foreman 1.11.1 and safemode 1.2.4

Patches:
1. The safemode gem (https://rubygems.org/gems/safemode) was patched to
disallow the inspect instance method:
https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f
2. Foreman was patched to use this in
https://github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2

More information:
http://theforeman.org/security.html#2016-3693
http://projects.theforeman.org/issues/14635
http://theforeman.org/

-- 
Dominic Cleal
dominic@...al.org



Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.