Bug 1340107
| Summary: | CVE-2016-4451 - Privileges escalation through Organization and Locations API | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Marek Hulan <mhulan> |
| Component: | Security | Assignee: | Marek Hulan <mhulan> |
| Status: | CLOSED ERRATA | QA Contact: | Lukáš Hellebrandt <lhellebr> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0.4 | CC: | bkearney, cwelton, lhellebr, mvanderw, rnuccite |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/15182 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-21 17:07:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1339889 | ||
|
Description
Marek Hulan
2016-05-26 13:09:07 UTC
Created from redmine issue http://projects.theforeman.org/issues/15182 Upstream bug assigned to mhulan Moving to POST since upstream bug http://projects.theforeman.org/issues/15182 has been closed FailedQA.
This might have been caused by something else but this bug is not verifiable anyway.
1) Create an org
2) Create a user in that org, grant full rights (not admin) to it
3) As admin, create some domain in that org.
4) As a user, create some domain in that org.
5) Notice that, when logged in a the user, you can't see any of those domains.
6) Try with API:
# curl -X GET -k -u testuser:testpass "https://<FQDN>/api/organizations/3/domains"
{
"total": 0,
"subtotal": 0,
"page": 1,
"per_page": 20,
"search": null,
"sort": {
"by": null,
"order": null
},
"results": []
}
Verified with Sat6.3 snap 16.
The point here was not unability to reproduce. The problem was there has been a change in behavior between 6.2 and 6.3: entities without Location assigned are now not shown to non-admin users. As this is expected, according to devel, I am verifying this bug.
Reproducer:
1) create org Testorg
2) create user Testuser in Testorg
3) assign Default Location to Testorg and to Testuser
4) as Testuser, create domain Testdomain with org Testorg and location Testlocation
5) List domains in Testorg, they are successfullylisted:
# curl -X GET -k -u Testuser:<testpass> "https://<FQDN>/api/domains?organization_id=<Testorg_id>"
6) create org Anotherorg
7) create user Anotheruser in Anotherorg
8) assign Default Location to Anotherorg and to Anotheruser
9) Try to list domains in Testorg as Anotheruser and get {"message":"Organization with id <Testorg_id> not found"} which means the bug has been fixed
# curl -X GET -k -u Anotheruser:<anotherpass> "https://<FQDN>/api/domains?organization_id=<Testorg_id>"
Further tested with similar steps using:
a) GET, Location instead of Org (for example API /api/locations/:location_id/hostgroups) and hostgroups as entity
b) POST, Location and Parameter create
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 |