Bug 484828 - op.cgi security bug allows RA agents to approve requests not assigned to their agent group
op.cgi security bug allows RA agents to approve requests not assigned to thei...
Product: Dogtag Certificate System
Classification: Community
Component: RA (Show other bugs)
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
Depends On:
Blocks: 443788 CVE-2009-0588
  Show dependency treegraph
Reported: 2009-02-10 00:30 EST by Robert Mead
Modified: 2015-01-04 18:36 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:32:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
corrected version of op.cgi, restricts approval requests to those allocated to his/her role(/groups) (4.17 KB, application/x-cgi)
2009-02-10 00:30 EST, Robert Mead
no flags Details

  None (edit)
Description Robert Mead 2009-02-10 00:30:51 EST
Created attachment 331394 [details]
corrected version of op.cgi, restricts approval requests to those allocated to his/her role(/groups)

Description of problem:
op.cgi uses different code to both (docroot/agent/request) index.cgi and read.cgi for retrieving a request from the $queue. As a result, contrary to the other two scripts it fails to enforce limitations on RA's to only approve requests assigned to their group/role.

I also noticed two cases where the database/queue connection could be left hanging (open) and added $queue->close(); calls immediately before the "return" statements in question.

Version-Release number of selected component (if applicable):
yum info pki-ra says
Version: 1.0.0
Release: 2.fc8

How reproducible:
every time.

Steps to Reproduce:
1. configure CS.cfg to assign different requests (user/server) to different (ra agent interface) groups OR as in our case modify the autoassign plugin to assign different requests to different agent groups.
2. add agents to the agent groups
3. edit CS.cfg to authorize the new agent groups i.e. add the new groups to:
4. request a certificate that gets assigned to one agent group e.g. serverAgents
5. notice the list and read screens correctly show the request for agents in the correct group (e.g. serverAgents) and don't show to other agents
6. as the other agent (e.g. an agent not in the serverAgents), paste the approve url for the new request into your browser.
7. The request is approved, when it should not be.
Actual results:
The request is approved, when it should not be.

Expected results:
The approval request should be ignore and potentially logged.

Additional info:

The fix is simple and based on the other similar cgi's. I have tested and it works for both the success and failure case. The fix is no more elegant than the code in the index.cgi and read.cgi - but works similarly. Input validation across the RA interface is poor. I am not a perl programmer so someone should check it, but it is a very simple fix.

Here is a diff fixed_file orig_file
 diff op.cgi op.cgi.orig 
<   #Security bug, previously allowed agents to approve requests 
<   #they can't see replace with same code as index.cgi and read.cgi
<   #to limit approvals to requests assigned to their role/group.
<   #my $pref = $queue->read_request($id);
<   my @roles = $self->get_current_roles($cfg);
<   my $pref = $queue->read_request_by_roles(\@roles, $id);
<   #consider adding an error check and redirect
>   my $pref = $queue->read_request($id);
<       $queue->close();    #close previously hanging database connection
<       $queue->close();    #close previously hanging database connection

I am attaching the fixed version of the file.
Comment 2 Ade Lee 2009-03-12 14:42:05 EDT
Thanks for the report. 

Your proposed fix will be incorporated in the Dogtag source  tree in the near future (probably over the next week or two).  It will also be released as a security errata for CS 7.3 shortly thereafter.  

Ade Lee
Red Hat CS Dev Team
Comment 3 Ade Lee 2009-04-07 13:46:23 EDT
Created attachment 338553 [details]
patch to fix 

patch to fix .. 

cfu , please review
Comment 4 Andrew Wnuk 2009-04-07 15:09:30 EDT
attachment (id=338553) +awnuk
Comment 5 Ade Lee 2009-04-07 15:53:11 EDT
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla BZ#484828: op.cgi allows RA agents to approve requests not assigned to their agent group" base/ra dogtag/ra
Sending        base/ra/forms/agent/request/op.cgi
Sending        dogtag/ra/pki-ra.spec
Transmitting file data ..
Committed revision 377.
Comment 6 Chandrasekar Kannan 2009-06-04 20:14:56 EDT
verified with pki-ra build - 06/04/2009.


Accessing a url like that says "you are not authorized".

test case.

1 - added group1,group2 from ra admin
2 - added user1,user2 from ra admin
3 - user1 added to group1. user2 added to group2
4 - change autoassign.pm to assign all requests to group1 by default
5 - restart ra
6 - file a request. gets assgined to group1
7 - login to ra agent as user1. able to see request. see approve url
8 - login to ra agent as user2. unable to view request. unable to see approve url.

Note You need to log in before you can comment on or make changes to this bug.