This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1215020 - (CVE-2015-3160) Beaker is vulnerable to "XXE" attacks from authenticated users, due to external entity expansion in job XML
Beaker is vulnerable to "XXE" attacks from authenticated users, due to extern...
Status: CLOSED CURRENTRELEASE
Product: Beaker
Classification: Community
Component: general (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified (vote)
: 20.1
: ---
Assigned To: Dan Callaghan
tools-bugs
: Patch, Security
Depends On:
Blocks: 1215894
  Show dependency treegraph
 
Reported: 2015-04-24 02:58 EDT by Dan Callaghan
Modified: 2015-05-08 00:31 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-08 00:05:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (4.87 KB, patch)
2015-04-29 03:21 EDT, Dan Callaghan
no flags Details | Diff

  None (edit)
Description Dan Callaghan 2015-04-24 02:58:04 EDT
Description of problem:
Beaker is vulnerable to "XXE" (XML external entity) attacks. An authenticated user can submit a job XML to the scheduler containing entity references which reference files from the Beaker server's filesystem, thereby causing the contents to be disclosed in the web UI.

For example:

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<job>
  <whiteboard>&xxe;</whiteboard>
  <recipeSet>
    <recipe>
      <distroRequires>
      <distro_arch op="=" value="x86_64"/>
        </distroRequires>
      <hostRequires/>
      <task name="/distribution/install" role="STANDALONE"/>
    </recipe>
  </recipeSet>
</job>

This can be exploited to reveal sensitive information from the filesystem accessible by the apache user, including Kerberos keytabs and the database password in /etc/beaker/server.cfg.

Note that there are no known ways to exploit this as an anonymous user. It requires malicious action from a user with a valid Beaker account.

Version-Release number of selected component (if applicable):
all Beaker versions are vulnerable

Steps to Reproduce:
1. Log in to Beaker as any user account
2. Submit a specially craft job using external entity expansion, as per the above example
3. View the job in the web UI

Actual results:
Contents of /etc/passwd are revealed in the job whiteboard.

Expected results:
Job should not be accepted, it should fail to parse due to an undefined entity.

Additional info:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Comment 2 Dan Callaghan 2015-04-29 03:21:38 EDT
Created attachment 1020003 [details]
proposed patch
Comment 5 Hui Wang 2015-05-04 02:39:19 EDT
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.24dc482
Steps:
1. Log in to Beaker as any user account
2. Submit a specially craft job using external entity expansion, as per the above example in description

Result:  Failed to import job
Comment 6 Dan Callaghan 2015-05-08 00:05:50 EDT
Beaker 20.1 has been released.

Note You need to log in before you can comment on or make changes to this bug.