Bug #3160
closed
CVE-2013-4386 - SQL injection in host and host group lookup_value overrides/matcher associations
Description
Host and host group parameter overrides (lookup_values) use a hand-crafted SQL query to associate the host/host group to the lookup_value object, as it searches for lookup_values with the "fqdn=foo.example.com" or "hostgroup=Foo" syntaxes. The association calls a method on the host or host group for the matcher string, then puts the response straight into SQL query. By changing the host's FQDN or the host group's label, arbitrary SQL can be injected.
Steps to reproduce:- create a new host group named
Robert'; - click on the host group to edit it
Result:
ActiveRecord::StatementInvalid in HostgroupsController#edit
SQLite3::SQLException: near ";": syntax error: SELECT lookup_values.* FROM lookup_values WHERE (lookup_values.match = 'hostgroup=Robert';')Relevant code:
app/models/concerns/host_common.rb:20
has_many :lookup_values, :finder_sql => Proc.new { %Q{ SELECT lookup_values.* FROM lookup_values WHERE ( lookup_values.match = '#{lookup_value_match}') } }, :dependent => :destroyapp/models/hostgroup.rb:
def lookup_value_match
"hostgroup=#{to_label}"
endFiles
Updated by Dominic Cleal over 11 years ago
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
Updated by Dominic Cleal over 11 years ago
- File 0001-fixes-3160-sanitize-host-host-group-names-v1.patch 0001-fixes-3160-sanitize-host-host-group-names-v1.patch added
- Status changed from Assigned to Ready For Testing
Patch for review please.
Updated by Dominic Cleal over 11 years ago
- Subject changed from SQL injection in host and host group lookup_value overrides/matcher associations to CVE-2013-4386 - SQL injection in host and host group lookup_value overrides/matcher associations
- Due date set to 10/07/2013
Assigned CVE-2013-4386, embargo set to Monday 7th October.
Updated by Amos Benari over 11 years ago
- Status changed from Ready For Testing to Pending
Patch reviewed and approved.
Updated by Dominic Cleal over 11 years ago
- File 0001-fixes-3160-sanitize-host-host-group-names-v2.patch 0001-fixes-3160-sanitize-host-host-group-names-v2.patch added
Thanks Amos. v2 is identical but with an updated commit message, no review required.
Updated by Dominic Cleal over 11 years ago
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Applied in changeset 3dd4c0e50a4ea8c0393a78220c2dcec380a9db07.
Updated by Dominic Cleal over 11 years ago
Fix has been released in Foreman 1.2.3 (stable) and the upcoming 1.3.0-RC4 release.
Updated by Dominic Cleal over 11 years ago
Foreman 1.2.3 announcement:
https://groups.google.com/forum/#!topic/foreman-announce/GKMNXM66Z84
Patches:
https://github.com/theforeman/foreman/commit/3dd4c0e5 (develop)
https://github.com/theforeman/foreman/commit/a3564bcb (1.3)
https://github.com/theforeman/foreman/commit/911e3f15 (1.2)