Bug 1215034 (CVE-2015-3163) - anonymous users can modify key types and power types
Summary: anonymous users can modify key types and power types
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-3163
Product: Beaker
Classification: Retired
Component: general
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: 20.1
Assignee: matt jia
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks: 1215894
TreeView+ depends on / blocked
 
Reported: 2015-04-24 07:34 UTC by Dan Callaghan
Modified: 2018-02-06 00:41 UTC (History)
18 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-05-08 04:05:44 UTC
Embargoed:

Attachments (Terms of Use)
proposed patch (3.79 KB, patch)
2015-04-30 01:09 UTC, matt jia 		no flags Details | Diff
proposed patch (4.04 KB, patch)
2015-04-30 01:42 UTC, matt jia 		no flags Details | Diff
proposed patch (10.03 KB, patch)
2015-04-30 02:20 UTC, matt jia 		dcallagh: review+
Details | Diff
Show Obsolete (2) View All

Description Dan Callaghan 2015-04-24 07:34:12 UTC 
Description of problem:
The admin pages for key types and power types do not perform any access checks. An authenticated user can visit these URLs directly (they do not appear in the menu for non-admins) and modify power types and key types.

Version-Release number of selected component (if applicable):
probably all Beaker versions

How reproducible:
easily

Steps to Reproduce:
1. Go to $BEAKER/powertypes/ without logging in
2. Create or remove power types
3. Go to $BEAKER/keytypes/ without logging in
4. Create or remove key types

Actual results:
All operations are allowed.

Expected results:
We can probably allow anonymous users to list the key types and power types as this would be generally useful (and is not sensitive information). However modifications should not be permitted except by admins.
Comment 1 matt jia 2015-04-30 01:09:49 UTC 
Created attachment 1020383 [details]
proposed patch
Comment 2 matt jia 2015-04-30 01:42:40 UTC 
Created attachment 1020388 [details]
proposed patch
Comment 3 matt jia 2015-04-30 02:20:42 UTC 
Created attachment 1020389 [details]
proposed patch
Comment 6 Hui Wang 2015-05-04 07:25:54 UTC 
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.24dc482

Steps to Reproduce:
1. Go to $BEAKER/powertypes/ without logging in
2. Create or remove power types
3. Go to $BEAKER/keytypes/ without logging in
4. Create or remove key types

Result: server give 403 response.
Comment 7 Dan Callaghan 2015-05-08 04:05:44 UTC 
Beaker 20.1 has been released.
Note You need to log in before you can comment on or make changes to this bug.