Bug #13828
closed
CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1192414
Description of problem:
Unprivileged user can see Administer -> Bookmarks
How reproducible:
always
Steps to Reproduce:
1. Login with admin user
2. Switch to "Any context" and create user without any location, org and role
3. Logout with admin user and login with newly created user
Actual results:
The unprivileged user can access Administer -> Bookmarks. He can not get details about these bookmarks, details about these bookmarks, but see them.
Files
Updated by Ohad Levy about 8 years ago
I would expect bookmark listing to display my_bookmarks by default, similar to how the bookmark dropdown works.
Updated by Dominic Cleal about 8 years ago
- Subject changed from unprivileged user can see Administer -> Bookmarks to unprivileged user can see private bookmarks in Administer -> Bookmarks
- Category set to Security
- Assignee deleted (
Tom Caspy)
I think you specifically mean other user's private bookmarks are visible, so updated. The page and public bookmarks should be accessible to any user.
Please report security issues first to foreman-security, don't just file them in Redmine. See http://theforeman.org/security.html and https://groups.google.com/forum/#!msg/foreman-dev/noN-XJ1qXgU/vYFPVYLQDQAJ for more information. I will forward and start the CVE process myself.
Updated by Dominic Cleal about 8 years ago
There are further related issues with bookmarks, mostly coming from resource_base not being adequately defined:
- UI edit action can render a form for a private bookmark by ID, if the user has edit_permission.
- API index and get responses also shows private bookmarks from other users
updateanddestroyactions of both the UI and API are not scoped to bookmarks that the user should have access to update, so they can supply an ID for a private bookmark of another user, the resource is found and updated. User needs edit/destroy_bookmarks permission for this.
I've requested a CVE for this issue, we'll address it in the next release(s) following a patch being written.
Updated by Dominic Cleal about 8 years ago
- Subject changed from unprivileged user can see private bookmarks in Administer -> Bookmarks to CVE-2015-7582 - unprivileged user can see private bookmarks in Administer -> Bookmarks
CVE-2015-7582 has been assigned. Please include the number in the commit message.
Updated by Tom Caspy about 8 years ago
but I can see all the hosts in the system, can't edit them. is that supposed to happen?
Updated by Dominic Cleal about 8 years ago
Depends on the permissions assigned to your "Anonymous" role, which is a minimum set applied to all users.
The default changed some time ago and view_hosts was removed. view_bookmarks is assigned by default, so ensure yours matches the default seed (db/seeds.d/03-roles.rb).
Updated by The Foreman Bot about 8 years ago
- Status changed from New to Ready For Testing
- Assignee set to Tom Caspy
- Pull request https://github.com/theforeman/foreman/pull/3217 added
Updated by Dominic Cleal about 8 years ago
- Subject changed from CVE-2015-7582 - unprivileged user can see private bookmarks in Administer -> Bookmarks to CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks
The CVE identifier should have been assigned from a 2016 block, so it's now CVE-2016-2100.
Updated by Tom Caspy about 8 years ago
- Status changed from Ready For Testing to New
- Assignee deleted (
Tom Caspy)
Updated by Tom Caspy about 8 years ago
- Pull request deleted (
https://github.com/theforeman/foreman/pull/3217)
Updated by The Foreman Bot about 8 years ago
- Status changed from New to Ready For Testing
- Assignee set to Tom Caspy
- Pull request https://github.com/theforeman/foreman/pull/3221 added
Updated by Dominic Cleal about 8 years ago
- translation missing: en.field_release set to 145
Updated by Tom Caspy about 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset a61344da14f73920b4bdc7ad8220e7a0ed998031.