Dominic Cleal of Red Hat reported an SQL injection vulnerability in Foreman. Host and host group parameter overrides (lookup_values) use a hand-crafted SQL query to associate the host/host group to the lookup_value object, as it searches for lookup_values with the "fqdn=foo.example.com" or "hostgroup=Foo" syntaxes. The association calls a method on the host or host group for the matcher string, then puts the response straight into SQL query. By changing the host's FQDN or the host group's label, arbitrary SQL can be injected. External references: http://projects.theforeman.org/issues/3160)
Acknowledgements: This issue was discovered by Dominic Cleal of Red Hat.
Foreman 1.2.3 has been released to fix this issue: https://groups.google.com/forum/#!topic/foreman-announce/GKMNXM66Z84 Patches: https://github.com/theforeman/foreman/commit/3dd4c0e5 (develop) https://github.com/theforeman/foreman/commit/a3564bcb (1.3) https://github.com/theforeman/foreman/commit/911e3f15 (1.2)
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1522 https://rhn.redhat.com/errata/RHSA-2013-1522.html