Bug 487758 - origin lets you get arbitrary paths with a single valid header
Summary: origin lets you get arbitrary paths with a single valid header
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Network
Classification: Retired
Component: RHN/Backend
Version: rhn509
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Bryan Kearney
QA Contact: Red Hat Network Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 486586
TreeView+ depends on / blocked
 
Reported: 2009-02-27 19:07 UTC by James Bowes
Modified: 2013-01-10 10:01 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-03-16 12:52:45 UTC
Embargoed:


Attachments (Terms of Use)

Description James Bowes 2009-02-27 19:07:45 UTC
origin examines 3 headers for a file request to do authentication. 2 are data, and the 3 is a hash of the data ones used for the auth.

Once authed, the code serves up the path requested in the url, which may not match the header.

Comment 1 James Bowes 2009-03-06 16:36:19 UTC
To test:
  * edit fake-akamai.cgi so that it requests a file that is different from the  
    one you pass on the command line. Do so by changing 'parsed[2]' on line 111 
    (in conn.request() call) to some valid path for an rpm.
  * run fake akamai from the command line, passing a different path as the 
    argument
  * your request should be denied, and origin should log the error.

Comment 2 Grant Gainey 2009-03-06 19:01:54 UTC
VERIFIED in dev.

 * fake-akamai broken to always point at "/rhn/public/NULL/a2ps/4.13b-57.1.el5/i386/a2ps-4.13b-57.1.el5.i386.rpm"
 * renamed to broken-fake-akamai
 * run as follows:

  sudo ./broken-fake-akamai.cgi --cli --verbose https://origin.rhn.webdev.redhat.com /rhn/public/NULL/amanda-server/2.5.0p2-4/i386/amanda-server-2.5.0p2-4.i386.rpm

 * origin retruned the following:

HTTP 401 Authorization Required
Headers:
Traceback (most recent call last):
  File "./broken-fake-akamai.cgi", line 220, in ?
    run_from_cli()
  File "./broken-fake-akamai.cgi", line 208, in run_from_cli
    for header in fo.getheaders():
AttributeError: HTTPResponse instance has no attribute 'getheaders'

Moving to VERIFIED


Note You need to log in before you can comment on or make changes to this bug.