Ramon de C Valle (rcvalle) reports:
There is a code injection vulnerability in the create method of the
Bookmarks controller. The create method uses the (mass-assigned)
controller attribute of the newly created bookmark in an eval statement
without sanitizing it:
def create
@bookmark = Bookmark.new(params[:bookmark])
respond_to do |format|
if @bookmark.save
format.html { redirect_to(eval(@bookmark.controller+"_path"),
:notice => _('Bookmark was successfully created.')) }
else
format.html { render :action => "new" }
end
end
end
Any user with permissions to create a bookmark can execute arbitrary
code and arbitrary system commands by sending a specially-crafted POST
request. The controller attribute is validated with the regular
expression /\A(\S+)\Z/, which prevents us from using code containing
spaces. However, this can be easily circumvented (see example (a)). The
following are some possible example attacks, including arbitrary command
execution.
Comment 4Murray McAllister
2013-05-30 22:20:50 UTC
Acknowledgements:
This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Upstream tracker: http://projects.theforeman.org/issues/2631
A fix has been committed:
commit ef4b97d177c58c9532730d53dca0517bc869a0ce
Author: Joseph Mitchell Magen <jmagen>
Date: Mon Jun 3 18:11:32 2013 +0100
fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)
And cherry-picked to stable branches:
1.2-stable: 2f3839eb9928bd04876c2e1bfe509cd9ed120991
1.1-stable: 8920e796a285201e9e0f6af0220e79d257077d7d
The fix will be packaged as part of Foreman 1.2.0-RC2.
foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975