Bug #3160

CVE-2013-4386 - SQL injection in host and host group lookup_value overrides/matcher associations

Added by Dominic Cleal about 1 year ago. Updated about 1 year ago.

Status:ClosedStart date:09/27/2013
Priority:UrgentDue date:10/07/2013
Assigned To:Dominic Cleal% Done:

100%

Category:Security
Target version:1.2.3
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-

Description

Host and host group parameter overrides (lookup_values) use a hand-crafted SQL query to associate the host/host group to the lookup_value object, as it searches for lookup_values with the "fqdn=foo.example.com" or "hostgroup=Foo" syntaxes. The association calls a method on the host or host group for the matcher string, then puts the response straight into SQL query. By changing the host's FQDN or the host group's label, arbitrary SQL can be injected.

Steps to reproduce:
  1. create a new host group named Robert';
  2. click on the host group to edit it

Result:

ActiveRecord::StatementInvalid in HostgroupsController#edit
SQLite3::SQLException: near ";": syntax error: SELECT lookup_values.* FROM lookup_values WHERE (lookup_values.match = 'hostgroup=Robert';')

Relevant code:

app/models/concerns/host_common.rb:20

has_many :lookup_values, :finder_sql => Proc.new { %Q{ SELECT lookup_values.* FROM lookup_values WHERE (    lookup_values.match = '#{lookup_value_match}') } }, :dependent => :destroy

app/models/hostgroup.rb:

def lookup_value_match
"hostgroup=#{to_label}"
end

0001-fixes-3160-sanitize-host-host-group-names-v1.patch Magnifier - v1 patch (2.46 KB) Dominic Cleal, 09/27/2013 03:45 PM

0001-fixes-3160-sanitize-host-host-group-names-v2.patch Magnifier - v2 patch (updated commit message) (2.46 KB) Dominic Cleal, 09/30/2013 01:52 PM

0001-fixes-3160-sanitize-host-host-group-names-v2-1.2.patch Magnifier - v2 patch (rebased onto 1.2-stable) (2.36 KB) Dominic Cleal, 09/30/2013 02:18 PM

Associated revisions

Revision 911e3f15
Added by Dominic Cleal about 1 year ago

fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386)

Revision a3564bcb
Added by Dominic Cleal about 1 year ago

fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386)

Revision 3dd4c0e5
Added by Dominic Cleal about 1 year ago

fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386)

History

#1 Updated by Dominic Cleal about 1 year ago

  • Status changed from New to Assigned
  • Assigned To set to Dominic Cleal

#2 Updated by Dominic Cleal about 1 year ago

Patch for review please.

#3 Updated by Dominic Cleal about 1 year ago

  • Subject changed from SQL injection in host and host group lookup_value overrides/matcher associations to CVE-2013-4386 - SQL injection in host and host group lookup_value overrides/matcher associations
  • Due date set to 10/07/2013

Assigned CVE-2013-4386, embargo set to Monday 7th October.

#4 Updated by Amos Benari about 1 year ago

  • Status changed from Ready For Testing to Pending

Patch reviewed and approved.

#5 Updated by Dominic Cleal about 1 year ago

Thanks Amos. v2 is identical but with an updated commit message, no review required.

#7 Updated by Dominic Cleal about 1 year ago

  • Private changed from Yes to No

#8 Updated by Dominic Cleal about 1 year ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

#9 Updated by Dominic Cleal about 1 year ago

Fix has been released in Foreman 1.2.3 (stable) and the upcoming 1.3.0-RC4 release.

Also available in: Atom PDF