Project

General

Profile

Actions
Copy link

Bug #1208

closed

Unauthenticated IP spoofing should not be allowed

Added by Marcello de Sousa over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ohad Levy
Category:
Unattended installations
Target version:
0.4
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Now any server can spoof and get a kickstart file that might have interesting info (such as root password hash). This can be considered a security weakness as you shouldn't be allowed to spoof IPs unauthenticated anyway.

Next to that, as a workaround for #969, I've been forced to filter the allowed URLs in my apache config file (/etc/httpd/conf.d/foreman.conf - Check template sample below).
There is one important issue though. This won't match query strings such as "?spoof=" giving me one more reason for this request.

 <Location />
    Order Deny,Allow
    Deny from all
    <% scope.lookupvar('foreman::params::allowed_ips').split(',').each do |ip| -%>
    Allow from <%= ip %>
    <% end -%>
    Allow from 127.0.0.1
    Allow from <%= ipaddress %>
  </Location>
  <Location ~ "^/unattended/(kickstart|built)$" >
    Order Deny,Allow
    Deny from all
    <% scope.lookupvar('foreman::params::unattended_allowed_ips').split(',').each do |ip| -%>
    Allow from <%= ip %>
    <% end -%>
  </Location>

Related issues 1 (0 open1 closed)

Related to Smart Proxy - Feature #969: Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)Closeddustin tsang06/09/2011Actions
Actions
Copy link
 #1

Updated by Marcello de Sousa over 12 years ago

...and if auth required, via HTTPs only of course.

Actions
Copy link
 #2

Updated by Ohad Levy over 12 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF