Project

General

Profile

Bug #3160

CVE-2013-4386 - SQL injection in host and host group lookup_value overrides/matcher associations

Added by Dominic Cleal about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Host and host group parameter overrides (lookup_values) use a hand-crafted SQL query to associate the host/host group to the lookup_value object, as it searches for lookup_values with the "fqdn=foo.example.com" or "hostgroup=Foo" syntaxes. The association calls a method on the host or host group for the matcher string, then puts the response straight into SQL query. By changing the host's FQDN or the host group's label, arbitrary SQL can be injected.

Steps to reproduce:
  1. create a new host group named Robert';
  2. click on the host group to edit it

Result:

ActiveRecord::StatementInvalid in HostgroupsController#edit
SQLite3::SQLException: near ";": syntax error: SELECT lookup_values.* FROM lookup_values WHERE (lookup_values.match = 'hostgroup=Robert';')

Relevant code:

app/models/concerns/host_common.rb:20

has_many :lookup_values, :finder_sql => Proc.new { %Q{ SELECT lookup_values.* FROM lookup_values WHERE (    lookup_values.match = '#{lookup_value_match}') } }, :dependent => :destroy

app/models/hostgroup.rb:

def lookup_value_match
"hostgroup=#{to_label}"
end

Associated revisions

Revision 911e3f15 (diff)
Added by Dominic Cleal about 5 years ago

fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386)

Revision a3564bcb (diff)
Added by Dominic Cleal about 5 years ago

fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386)

Revision 3dd4c0e5 (diff)
Added by Dominic Cleal about 5 years ago

fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386)

History

#1 Updated by Dominic Cleal about 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

#2 Updated by Dominic Cleal about 5 years ago

Patch for review please.

#3 Updated by Dominic Cleal about 5 years ago

  • Subject changed from SQL injection in host and host group lookup_value overrides/matcher associations to CVE-2013-4386 - SQL injection in host and host group lookup_value overrides/matcher associations
  • Due date set to 10/07/2013

Assigned CVE-2013-4386, embargo set to Monday 7th October.

#4 Updated by Amos Benari about 5 years ago

  • Status changed from Ready For Testing to Pending

Patch reviewed and approved.

#5 Updated by Dominic Cleal about 5 years ago

Thanks Amos. v2 is identical but with an updated commit message, no review required.

#7 Updated by Dominic Cleal about 5 years ago

  • Private changed from Yes to No

#8 Updated by Dominic Cleal about 5 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

#9 Updated by Dominic Cleal about 5 years ago

Fix has been released in Foreman 1.2.3 (stable) and the upcoming 1.3.0-RC4 release.

Also available in: Atom PDF