Bug 484828

Summary: op.cgi security bug allows RA agents to approve requests not assigned to their agent group
Product: [Retired] Dogtag Certificate System Reporter: Robert Mead <veryaware>
Component: RAAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: urgent    
Version: unspecifiedCC: awnuk, benl, cfu, msauton, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:32:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 443788, 488706    
Attachments:
Description Flags
corrected version of op.cgi, restricts approval requests to those allocated to his/her role(/groups) none

Description Robert Mead 2009-02-10 05:30:51 UTC
Created attachment 331394 [details]
corrected version of op.cgi, restricts approval requests to those allocated to his/her role(/groups)

Description of problem:
op.cgi uses different code to both (docroot/agent/request) index.cgi and read.cgi for retrieving a request from the $queue. As a result, contrary to the other two scripts it fails to enforce limitations on RA's to only approve requests assigned to their group/role.

I also noticed two cases where the database/queue connection could be left hanging (open) and added $queue->close(); calls immediately before the "return" statements in question.

Version-Release number of selected component (if applicable):
yum info pki-ra says
Version: 1.0.0
Release: 2.fc8


How reproducible:
every time.

Steps to Reproduce:
1. configure CS.cfg to assign different requests (user/server) to different (ra agent interface) groups OR as in our case modify the autoassign plugin to assign different requests to different agent groups.
2. add agents to the agent groups
3. edit CS.cfg to authorize the new agent groups i.e. add the new groups to:
agent.authorized_groups=admin,agent,serverAgents,userAgents
4. request a certificate that gets assigned to one agent group e.g. serverAgents
5. notice the list and read screens correctly show the request for agents in the correct group (e.g. serverAgents) and don't show to other agents
6. as the other agent (e.g. an agent not in the serverAgents), paste the approve url for the new request into your browser.
7. The request is approved, when it should not be.
  
Actual results:
The request is approved, when it should not be.

Expected results:
The approval request should be ignore and potentially logged.

Additional info:

The fix is simple and based on the other similar cgi's. I have tested and it works for both the success and failure case. The fix is no more elegant than the code in the index.cgi and read.cgi - but works similarly. Input validation across the RA interface is poor. I am not a perl programmer so someone should check it, but it is a very simple fix.

Here is a diff fixed_file orig_file
 diff op.cgi op.cgi.orig 
71d70
< 
80,87c79
<   #Security bug, previously allowed agents to approve requests 
<   #they can't see replace with same code as index.cgi and read.cgi
<   #to limit approvals to requests assigned to their role/group.
<   #my $pref = $queue->read_request($id);
<   my @roles = $self->get_current_roles($cfg);
<   my $pref = $queue->read_request_by_roles(\@roles, $id);
<   #consider adding an error check and redirect
< 
---
>   my $pref = $queue->read_request($id);
92d83
<       $queue->close();    #close previously hanging database connection
100d90
<       $queue->close();    #close previously hanging database connection

I am attaching the fixed version of the file.

Comment 2 Ade Lee 2009-03-12 18:42:05 UTC
Thanks for the report. 

Your proposed fix will be incorporated in the Dogtag source  tree in the near future (probably over the next week or two).  It will also be released as a security errata for CS 7.3 shortly thereafter.  

Thanks, 
Ade Lee
Red Hat CS Dev Team

Comment 3 Ade Lee 2009-04-07 17:46:23 UTC
Created attachment 338553 [details]
patch to fix 

patch to fix .. 

cfu , please review

Comment 4 Andrew Wnuk 2009-04-07 19:09:30 UTC
attachment (id=338553) +awnuk

Comment 5 Ade Lee 2009-04-07 19:53:11 UTC
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla BZ#484828: op.cgi allows RA agents to approve requests not assigned to their agent group" base/ra dogtag/ra
Sending        base/ra/forms/agent/request/op.cgi
Sending        dogtag/ra/pki-ra.spec
Transmitting file data ..
Committed revision 377.

Comment 6 Chandrasekar Kannan 2009-06-05 00:14:56 UTC
verified with pki-ra build - 06/04/2009.

https://sigma.dsdev.sjc.redhat.com:27989/agent/request/op.cgi?type=approve&id=3

Accessing a url like that says "you are not authorized".

test case.

1 - added group1,group2 from ra admin
2 - added user1,user2 from ra admin
3 - user1 added to group1. user2 added to group2
4 - change autoassign.pm to assign all requests to group1 by default
5 - restart ra
6 - file a request. gets assgined to group1
7 - login to ra agent as user1. able to see request. see approve url
8 - login to ra agent as user2. unable to view request. unable to see approve url.