Bug 484828 - op.cgi security bug allows RA agents to approve requests not assigned to their agent group
Summary: op.cgi security bug allows RA agents to approve requests not assigned to thei...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: RA
Version: unspecified
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788 CVE-2009-0588
TreeView+ depends on / blocked
 
Reported: 2009-02-10 05:30 UTC by Robert Mead
Modified: 2018-10-20 01:57 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:32:17 UTC


Attachments (Terms of Use)
corrected version of op.cgi, restricts approval requests to those allocated to his/her role(/groups) (4.17 KB, application/x-cgi)
2009-02-10 05:30 UTC, Robert Mead
no flags Details

Description Robert Mead 2009-02-10 05:30:51 UTC
Created attachment 331394 [details]
corrected version of op.cgi, restricts approval requests to those allocated to his/her role(/groups)

Description of problem:
op.cgi uses different code to both (docroot/agent/request) index.cgi and read.cgi for retrieving a request from the $queue. As a result, contrary to the other two scripts it fails to enforce limitations on RA's to only approve requests assigned to their group/role.

I also noticed two cases where the database/queue connection could be left hanging (open) and added $queue->close(); calls immediately before the "return" statements in question.

Version-Release number of selected component (if applicable):
yum info pki-ra says
Version: 1.0.0
Release: 2.fc8


How reproducible:
every time.

Steps to Reproduce:
1. configure CS.cfg to assign different requests (user/server) to different (ra agent interface) groups OR as in our case modify the autoassign plugin to assign different requests to different agent groups.
2. add agents to the agent groups
3. edit CS.cfg to authorize the new agent groups i.e. add the new groups to:
agent.authorized_groups=admin,agent,serverAgents,userAgents
4. request a certificate that gets assigned to one agent group e.g. serverAgents
5. notice the list and read screens correctly show the request for agents in the correct group (e.g. serverAgents) and don't show to other agents
6. as the other agent (e.g. an agent not in the serverAgents), paste the approve url for the new request into your browser.
7. The request is approved, when it should not be.
  
Actual results:
The request is approved, when it should not be.

Expected results:
The approval request should be ignore and potentially logged.

Additional info:

The fix is simple and based on the other similar cgi's. I have tested and it works for both the success and failure case. The fix is no more elegant than the code in the index.cgi and read.cgi - but works similarly. Input validation across the RA interface is poor. I am not a perl programmer so someone should check it, but it is a very simple fix.

Here is a diff fixed_file orig_file
 diff op.cgi op.cgi.orig 
71d70
< 
80,87c79
<   #Security bug, previously allowed agents to approve requests 
<   #they can't see replace with same code as index.cgi and read.cgi
<   #to limit approvals to requests assigned to their role/group.
<   #my $pref = $queue->read_request($id);
<   my @roles = $self->get_current_roles($cfg);
<   my $pref = $queue->read_request_by_roles(\@roles, $id);
<   #consider adding an error check and redirect
< 
---
>   my $pref = $queue->read_request($id);
92d83
<       $queue->close();    #close previously hanging database connection
100d90
<       $queue->close();    #close previously hanging database connection

I am attaching the fixed version of the file.

Comment 2 Ade Lee 2009-03-12 18:42:05 UTC
Thanks for the report. 

Your proposed fix will be incorporated in the Dogtag source  tree in the near future (probably over the next week or two).  It will also be released as a security errata for CS 7.3 shortly thereafter.  

Thanks, 
Ade Lee
Red Hat CS Dev Team

Comment 3 Ade Lee 2009-04-07 17:46:23 UTC
Created attachment 338553 [details]
patch to fix 

patch to fix .. 

cfu , please review

Comment 4 Andrew Wnuk 2009-04-07 19:09:30 UTC
attachment (id=338553) +awnuk

Comment 5 Ade Lee 2009-04-07 19:53:11 UTC
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla BZ#484828: op.cgi allows RA agents to approve requests not assigned to their agent group" base/ra dogtag/ra
Sending        base/ra/forms/agent/request/op.cgi
Sending        dogtag/ra/pki-ra.spec
Transmitting file data ..
Committed revision 377.

Comment 6 Chandrasekar Kannan 2009-06-05 00:14:56 UTC
verified with pki-ra build - 06/04/2009.

https://sigma.dsdev.sjc.redhat.com:27989/agent/request/op.cgi?type=approve&id=3

Accessing a url like that says "you are not authorized".

test case.

1 - added group1,group2 from ra admin
2 - added user1,user2 from ra admin
3 - user1 added to group1. user2 added to group2
4 - change autoassign.pm to assign all requests to group1 by default
5 - restart ra
6 - file a request. gets assgined to group1
7 - login to ra agent as user1. able to see request. see approve url
8 - login to ra agent as user2. unable to view request. unable to see approve url.


Note You need to log in before you can comment on or make changes to this bug.