Bug 1215020 (CVE-2015-3160) - Beaker is vulnerable to "XXE" attacks from authenticated users, due to external entity expansion in job XML
Summary: Beaker is vulnerable to "XXE" attacks from authenticated users, due to extern...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-3160
Product: Beaker
Classification: Community
Component: general
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: 20.1
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Keywords: Patch, Security
Depends On:
Blocks: 1215894
TreeView+ depends on / blocked
 
Reported: 2015-04-24 06:58 UTC by Dan Callaghan
Modified: 2018-02-06 00:41 UTC (History)
18 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-05-08 04:05:50 UTC


Attachments (Terms of Use)
proposed patch (4.87 KB, patch)
2015-04-29 07:21 UTC, Dan Callaghan
no flags Details | Diff

Description Dan Callaghan 2015-04-24 06:58:04 UTC
Description of problem:
Beaker is vulnerable to "XXE" (XML external entity) attacks. An authenticated user can submit a job XML to the scheduler containing entity references which reference files from the Beaker server's filesystem, thereby causing the contents to be disclosed in the web UI.

For example:

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<job>
  <whiteboard>&xxe;</whiteboard>
  <recipeSet>
    <recipe>
      <distroRequires>
      <distro_arch op="=" value="x86_64"/>
        </distroRequires>
      <hostRequires/>
      <task name="/distribution/install" role="STANDALONE"/>
    </recipe>
  </recipeSet>
</job>

This can be exploited to reveal sensitive information from the filesystem accessible by the apache user, including Kerberos keytabs and the database password in /etc/beaker/server.cfg.

Note that there are no known ways to exploit this as an anonymous user. It requires malicious action from a user with a valid Beaker account.

Version-Release number of selected component (if applicable):
all Beaker versions are vulnerable

Steps to Reproduce:
1. Log in to Beaker as any user account
2. Submit a specially craft job using external entity expansion, as per the above example
3. View the job in the web UI

Actual results:
Contents of /etc/passwd are revealed in the job whiteboard.

Expected results:
Job should not be accepted, it should fail to parse due to an undefined entity.

Additional info:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

Comment 2 Dan Callaghan 2015-04-29 07:21:38 UTC
Created attachment 1020003 [details]
proposed patch

Comment 5 Hui Wang 2015-05-04 06:39:19 UTC
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.24dc482
Steps:
1. Log in to Beaker as any user account
2. Submit a specially craft job using external entity expansion, as per the above example in description

Result:  Failed to import job

Comment 6 Dan Callaghan 2015-05-08 04:05:50 UTC
Beaker 20.1 has been released.


Note You need to log in before you can comment on or make changes to this bug.