Date: Wed, 20 Apr 2016 16:03:08 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-3693: Foreman application information leakage through templates CVE-2016-3693: Foreman application information leakage through template rendering A provisioning template containing `inspect` will expose sensitive information about the Rails controller and application when rendered when using Safemode rendering (the default setting). This includes the application secret token, possibly permitting a privilege escalation when the app is using signed cookies. Thanks to Ivan Necas for reporting the issue. As a precaution, the security token may be regenerated with: chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb foreman-rake security:generate_token chown root /usr/share/foreman/config/initializers/local_secret_token.rb Mitigation: remove edit_provisioning_templates from untrusted users. Affects all known Foreman versions Fix released in Foreman 1.11.1 and safemode 1.2.4 Patches: 1. The safemode gem (https://rubygems.org/gems/safemode) was patched to disallow the inspect instance method: https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f 2. Foreman was patched to use this in https://github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2 More information: http://theforeman.org/security.html#2016-3693 http://projects.theforeman.org/issues/14635 http://theforeman.org/ -- Dominic Cleal dominic@...al.org Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.