Bug 1215034 - (CVE-2015-3163) anonymous users can modify key types and power types
anonymous users can modify key types and power types
Status: CLOSED CURRENTRELEASE
Product: Beaker
Classification: Community
Component: general (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified (vote)
: 20.1
: ---
Assigned To: matt jia
tools-bugs
: Patch, Security
Depends On:
Blocks: 1215894
  Show dependency treegraph
 
Reported: 2015-04-24 03:34 EDT by Dan Callaghan
Modified: 2018-02-05 19:41 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-08 00:05:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (3.79 KB, patch)
2015-04-29 21:09 EDT, matt jia
no flags Details | Diff
proposed patch (4.04 KB, patch)
2015-04-29 21:42 EDT, matt jia
no flags Details | Diff
proposed patch (10.03 KB, patch)
2015-04-29 22:20 EDT, matt jia
dcallagh: review+
Details | Diff

  None (edit)
Description Dan Callaghan 2015-04-24 03:34:12 EDT
Description of problem:
The admin pages for key types and power types do not perform any access checks. An authenticated user can visit these URLs directly (they do not appear in the menu for non-admins) and modify power types and key types.

Version-Release number of selected component (if applicable):
probably all Beaker versions

How reproducible:
easily

Steps to Reproduce:
1. Go to $BEAKER/powertypes/ without logging in
2. Create or remove power types
3. Go to $BEAKER/keytypes/ without logging in
4. Create or remove key types

Actual results:
All operations are allowed.

Expected results:
We can probably allow anonymous users to list the key types and power types as this would be generally useful (and is not sensitive information). However modifications should not be permitted except by admins.
Comment 1 matt jia 2015-04-29 21:09:49 EDT
Created attachment 1020383 [details]
proposed patch
Comment 2 matt jia 2015-04-29 21:42:40 EDT
Created attachment 1020388 [details]
proposed patch
Comment 3 matt jia 2015-04-29 22:20:42 EDT
Created attachment 1020389 [details]
proposed patch
Comment 6 Hui Wang 2015-05-04 03:25:54 EDT
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.24dc482

Steps to Reproduce:
1. Go to $BEAKER/powertypes/ without logging in
2. Create or remove power types
3. Go to $BEAKER/keytypes/ without logging in
4. Create or remove key types

Result: server give 403 response.
Comment 7 Dan Callaghan 2015-05-08 00:05:44 EDT
Beaker 20.1 has been released.

Note You need to log in before you can comment on or make changes to this bug.