Project

General

Profile

Bug #1208

Unauthenticated IP spoofing should not be allowed

Added by Marcello de Sousa almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Unattended installations
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Now any server can spoof and get a kickstart file that might have interesting info (such as root password hash). This can be considered a security weakness as you shouldn't be allowed to spoof IPs unauthenticated anyway.

Next to that, as a workaround for #969, I've been forced to filter the allowed URLs in my apache config file (/etc/httpd/conf.d/foreman.conf - Check template sample below).
There is one important issue though. This won't match query strings such as "?spoof=" giving me one more reason for this request.

 <Location />
    Order Deny,Allow
    Deny from all
    <% scope.lookupvar('foreman::params::allowed_ips').split(',').each do |ip| -%>
    Allow from <%= ip %>
    <% end -%>
    Allow from 127.0.0.1
    Allow from <%= ipaddress %>
  </Location>
  <Location ~ "^/unattended/(kickstart|built)$" >
    Order Deny,Allow
    Deny from all
    <% scope.lookupvar('foreman::params::unattended_allowed_ips').split(',').each do |ip| -%>
    Allow from <%= ip %>
    <% end -%>
  </Location>

Related issues

Related to Smart Proxy - Feature #969: Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)Closed2011-06-09

Associated revisions

Revision 224783a1 (diff)
Added by Ohad Levy almost 8 years ago

fixes #1208 - Unauthenticated IP spoofing should not be allowed

History

#1 Updated by Marcello de Sousa almost 8 years ago

...and if auth required, via HTTPs only of course.

#2 Updated by Ohad Levy almost 8 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF