Bug 1043040 (CVE-2013-6492) - CVE-2013-6492 piranha: web UI authentication bypass using POST requests
Summary: CVE-2013-6492 piranha: web UI authentication bypass using POST requests
Alias: CVE-2013-6492
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1061903 1061904 1061905 1061906
Blocks: 1043709
TreeView+ depends on / blocked
Reported: 2013-12-13 19:58 UTC by Othman Madjoudj
Modified: 2019-09-29 13:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-02-13 19:50:31 UTC

Attachments (Terms of Use)
Auth bypass fix (345 bytes, patch)
2013-12-13 19:58 UTC, Othman Madjoudj
no flags Details | Diff

System ID Priority Status Summary Last Updated
CentOS 6825 None None None Never
Red Hat Product Errata RHSA-2014:0174 normal SHIPPED_LIVE Important: piranha security update 2014-02-13 23:45:55 UTC
Red Hat Product Errata RHSA-2014:0175 normal SHIPPED_LIVE Important: piranha security and bug fix update 2014-02-13 23:45:45 UTC

Description Othman Madjoudj 2013-12-13 19:58:51 UTC
Created attachment 836487 [details]
Auth bypass fix

Description of problem:

In Piranha web UI configuration, only GET requests require authentication (via <Limit GET>...</Limit> in config file), it's possible to display some page by sending POST requests.

Version-Release number of selected component (if applicable):

Steps to Reproduce:

1. GET requests require authentication as expected:

# curl  -I
HTTP/1.1 401 Authorization Required
Date: Fri, 13 Dec 2013 20:43:35 GMT
Server: Apache/2.2.15 (CentOS) PHP/5.3.3
WWW-Authenticate: Basic realm="access to the piranha web GUI"
Connection: close
Content-Type: text/html; charset=iso-8859-1

2. The same request but with POST:

# curl -d'' -I 

<TITLE>Piranha (Control/Monitoring)</TITLE>
<STYLE TYPE="text/css">

Actual results:
Admin page displayed

Expected results:
Admin page denied

Additional info:
A fix is attached

Comment 1 Vincent Danen 2013-12-17 00:25:28 UTC
This would indeed be a security issue, so I'm going to turn this into an SRT bug and get a CVE assigned.  Thank you for this report.

Comment 2 Vincent Danen 2013-12-17 00:34:41 UTC
This also looks to affect upstream piranha as the httpd.conf in question is included in the source file.

Comment 7 Tomas Hoger 2014-02-05 14:51:38 UTC
Original report in the CentOS bug tracker:


Comment 8 Tomas Hoger 2014-02-05 15:44:37 UTC
Bumping priority, this can be effectively used to modify lvs.cf configuration file.

Comment 12 errata-xmlrpc 2014-02-13 18:48:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0175 https://rhn.redhat.com/errata/RHSA-2014-0175.html

Comment 13 errata-xmlrpc 2014-02-13 18:48:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0174 https://rhn.redhat.com/errata/RHSA-2014-0174.html

Note You need to log in before you can comment on or make changes to this bug.