Jan Rusnacko of Red Hat reports: currently CSRF protection of CFME is based on checking the referer header. Implementation of the check is not strict enough and permits attacker CSRF in certain scenarios. Assuming CFME is running on cfme.host and client's browser sent referer without a full path during authentication, attacker can mount CSRF from domain cfme.host.evil.com, which will bypass CSRF referer check. Code in the request_referer_service.rb contains following: class RequestRefererService def referer_valid?(referer, string_to_test) referer.to_s.starts_with?(string_to_test) end end This check only makes sure that referer starts with string_to_test, with the assumption that it is FQDN of CFME host. String to test is set in DashboardController in authenticate action: 538: session['referer'] = request.referer.sub(/\?.*/,'') When user first authenticates, CFME saves the referer. Login form, from which user fires off authenticate request, is located at the root, so referer should contain URL in form "https://cfme.host/". This is stripped from any parameters and saved to session['referer'], which will again contain "https://cfme.host/" for the rest of the session. Any subsequent user requests must include referer starting with "https://cfme.host/". Sending referer header raises privacy concerns. To mitigate them, referer sent by the client may not include full URL, but only protocol+hostname instead of full path. This is exactly idea behind original proposal of Origin header (for details see [1]). Stripping full URL to hostname (or just domain) can be achieved by for example by Referer Control addon to Firefox, or perhaps implemented at network level as a part of company security policy. If the client sends authenticate request without trailing "/", then session['referer'] will contain something like "https://cfme.host", or just "cfme.host", and attacker can simply mount CSRF from "cfme.host.evil.com" and pass the check. This attack on broken Referer check implementation is described in OWASP CSRF prevention cheat sheet [2]. Thank you. [1] http://seclab.stanford.edu/websec/csrf/csrf.pdf [2] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Checking_The_Referer_Header
proposed upstream fix: https://github.com/ManageIQ/cfme/pull/2179
This is public now: https://github.com/ManageIQ/cfme/pull/2179
The above is not "public". It's a private repo.
This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html