Project

General

Profile

Actions

Bug #11119

closed

CVE-2015-5152 - API permits HTTP requests when require_ssl is enabled

Added by Dominic Cleal over 8 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

The "require_ssl" setting (in /etc/foreman/settings.yml) should enforce that web requests sent to Foreman over HTTP are redirected to HTTPS, but this was found not to happen with API requests (e.g. from Hammer CLI). Foreman will process API requests over HTTP, but should have redirected.

Redirection won't help with credentials having already been sent, but should give some notification that the user/app is using the wrong URL.

Affects all versions of Foreman since 1.1.

The issue has already been fixed since Foreman 1.9.0-RC1 via a refactor in #10471.

To mitigate this with Apache, add a stanza to the HTTP VirtualHost (e.g. in /etc/httpd/conf.d/05-foreman.d/api_redirect.conf) similar to:

RewriteEngine On
RewriteRule ^/api/(.*) https://%{SERVER_NAME}/api/$1 [R,L]

Related issues 1 (0 open1 closed)

Related to Foreman - Refactor #10471: Replace require_ssl filter with Rails' force_sslClosedShlomi Zadok05/11/2015Actions
Actions #1

Updated by Dominic Cleal over 8 years ago

  • Related to Refactor #10471: Replace require_ssl filter with Rails' force_ssl added
Actions

Also available in: Atom PDF