Bug #13828

CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks

Added by Ohad Levy about 1 year ago. Updated about 1 year ago.

Status:Closed
Priority:Normal
Assigned To:Tom Caspy
Category:Security
Target version:-
Difficulty: Bugzilla link:1192414
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3221
Story points-
Velocity based estimate-
Release1.10.3Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1192414
Description of problem:
Unprivileged user can see Administer -> Bookmarks

How reproducible:
always

Steps to Reproduce:
1. Login with admin user
2. Switch to "Any context" and create user without any location, org and role
3. Logout with admin user and login with newly created user

Actual results:
The unprivileged user can access Administer -> Bookmarks. He can not get details about these bookmarks, details about these bookmarks, but see them.

Screen Shot 2016-02-22 at 3.50.23 PM.png (13.7 KB) Preview Tom Caspy, 02/22/2016 08:51 AM

Screen%20shot%202016-02-22%20at%203.50.23%20pm

Associated revisions

Revision a61344da
Added by Tom Caspy about 1 year ago

fixes #13828 - CVE-2016-2100 - only showing relevant bookmarks

History

#1 Updated by Ohad Levy about 1 year ago

I would expect bookmark listing to display my_bookmarks by default, similar to how the bookmark dropdown works.

#2 Updated by Ohad Levy about 1 year ago

  • Description updated (diff)

#3 Updated by Dominic Cleal about 1 year ago

  • Subject changed from unprivileged user can see Administer -> Bookmarks to unprivileged user can see private bookmarks in Administer -> Bookmarks
  • Category set to Security
  • Assigned To deleted (Tom Caspy)

I think you specifically mean other user's private bookmarks are visible, so updated. The page and public bookmarks should be accessible to any user.

Please report security issues first to foreman-security, don't just file them in Redmine. See http://theforeman.org/security.html and https://groups.google.com/forum/#!msg/foreman-dev/noN-XJ1qXgU/vYFPVYLQDQAJ for more information. I will forward and start the CVE process myself.

#4 Updated by Dominic Cleal about 1 year ago

There are further related issues with bookmarks, mostly coming from resource_base not being adequately defined:

  • UI edit action can render a form for a private bookmark by ID, if the user has edit_permission.
  • API index and get responses also shows private bookmarks from other users
  • update and destroy actions of both the UI and API are not scoped to bookmarks that the user should have access to update, so they can supply an ID for a private bookmark of another user, the resource is found and updated. User needs edit/destroy_bookmarks permission for this.

I've requested a CVE for this issue, we'll address it in the next release(s) following a patch being written.

#5 Updated by Dominic Cleal about 1 year ago

  • Subject changed from unprivileged user can see private bookmarks in Administer -> Bookmarks to CVE-2015-7582 - unprivileged user can see private bookmarks in Administer -> Bookmarks

CVE-2015-7582 has been assigned. Please include the number in the commit message.

#6 Updated by Tom Caspy about 1 year ago

tried reproducing with unpriviliged user, failed.

#7 Updated by Tom Caspy about 1 year ago

but I can see all the hosts in the system, can't edit them. is that supposed to happen?

#8 Updated by Dominic Cleal about 1 year ago

Depends on the permissions assigned to your "Anonymous" role, which is a minimum set applied to all users.

The default changed some time ago and view_hosts was removed. view_bookmarks is assigned by default, so ensure yours matches the default seed (db/seeds.d/03-roles.rb).

#9 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Tom Caspy
  • Pull request https://github.com/theforeman/foreman/pull/3217 added

#10 Updated by Dominic Cleal about 1 year ago

  • Subject changed from CVE-2015-7582 - unprivileged user can see private bookmarks in Administer -> Bookmarks to CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks

The CVE identifier should have been assigned from a 2016 block, so it's now CVE-2016-2100.

#11 Updated by Tom Caspy about 1 year ago

  • Status changed from Ready For Testing to New
  • Assigned To deleted (Tom Caspy)

#12 Updated by Tom Caspy about 1 year ago

  • Pull request deleted (https://github.com/theforeman/foreman/pull/3217)

#13 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Tom Caspy
  • Pull request https://github.com/theforeman/foreman/pull/3221 added

#14 Updated by Dominic Cleal about 1 year ago

  • Release set to 1.10.3

#15 Updated by Tom Caspy about 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF