Bug 1043040 - (CVE-2013-6492) CVE-2013-6492 piranha: web UI authentication bypass using POST requests
CVE-2013-6492 piranha: web UI authentication bypass using POST requests
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1061903 1061904 1061905 1061906
Blocks: 1043709
  Show dependency treegraph
Reported: 2013-12-13 14:58 EST by Athmane Madjoudj
Modified: 2015-07-31 07:53 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-02-13 14:50:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Auth bypass fix (345 bytes, patch)
2013-12-13 14:58 EST, Athmane Madjoudj
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
CentOS 6825 None None None Never
Red Hat Product Errata RHSA-2014:0174 normal SHIPPED_LIVE Important: piranha security update 2014-02-13 18:45:55 EST
Red Hat Product Errata RHSA-2014:0175 normal SHIPPED_LIVE Important: piranha security and bug fix update 2014-02-13 18:45:45 EST

  None (edit)
Description Athmane Madjoudj 2013-12-13 14:58:51 EST
Created attachment 836487 [details]
Auth bypass fix

Description of problem:

In Piranha web UI configuration, only GET requests require authentication (via <Limit GET>...</Limit> in config file), it's possible to display some page by sending POST requests.

Version-Release number of selected component (if applicable):

Steps to Reproduce:

1. GET requests require authentication as expected:

# curl  -I
HTTP/1.1 401 Authorization Required
Date: Fri, 13 Dec 2013 20:43:35 GMT
Server: Apache/2.2.15 (CentOS) PHP/5.3.3
WWW-Authenticate: Basic realm="access to the piranha web GUI"
Connection: close
Content-Type: text/html; charset=iso-8859-1

2. The same request but with POST:

# curl -d'' -I 

<TITLE>Piranha (Control/Monitoring)</TITLE>
<STYLE TYPE="text/css">

Actual results:
Admin page displayed

Expected results:
Admin page denied

Additional info:
A fix is attached
Comment 1 Vincent Danen 2013-12-16 19:25:28 EST
This would indeed be a security issue, so I'm going to turn this into an SRT bug and get a CVE assigned.  Thank you for this report.
Comment 2 Vincent Danen 2013-12-16 19:34:41 EST
This also looks to affect upstream piranha as the httpd.conf in question is included in the source file.
Comment 7 Tomas Hoger 2014-02-05 09:51:38 EST
Original report in the CentOS bug tracker:

Comment 8 Tomas Hoger 2014-02-05 10:44:37 EST
Bumping priority, this can be effectively used to modify lvs.cf configuration file.
Comment 12 errata-xmlrpc 2014-02-13 13:48:05 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0175 https://rhn.redhat.com/errata/RHSA-2014-0175.html
Comment 13 errata-xmlrpc 2014-02-13 13:48:20 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0174 https://rhn.redhat.com/errata/RHSA-2014-0174.html

Note You need to log in before you can comment on or make changes to this bug.