Bug 495616 - inaccessible channel, is accessible if you modify the url
Summary: inaccessible channel, is accessible if you modify the url
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI
Version: 530
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Jesus M. Rodriguez
QA Contact: wes hayutin
URL: https://bugatti.usersys.redhat.com/rh...
Whiteboard:
Depends On:
Blocks: 456998
TreeView+ depends on / blocked
 
Reported: 2009-04-14 04:05 UTC by Jesus M. Rodriguez
Modified: 2009-09-10 19:48 UTC (History)
2 users (show)

Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-10 19:48:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jesus M. Rodriguez 2009-04-14 04:05:42 UTC
userb (of orgb) can enter the channel id of a shared channel from usera (of orga)
into the channel edit url, and proceed to make a change to the channel. The user
will see an error, but when they return to the Manage Software Channels page, the 
modified channel appears and the org_id of the channel is changed to that of userb
*NOT* usera the original owner.

1) create 2 orgs (orga, orgb) and give them a trust
2) create a new channel in orga and share it to orgb
2a) make a note of the channel id
3) login as orgb
4) create a new channel in orgb
5) go to /network/software/channels/manage/index.pxt
6) click on the new channel in orgb to see the Edit.do page
7) now change the cid param in the url to be the cid from step 2a
8) hit enter
9) notice you can now edit the channel *THIS IS BAD*
10) change the Channel Name to 'you have been pwn3d'
11) hit 'Update Channel'
12) notice you get an error page.
13) return to /network/software/channels/manage/index.pxt
14) observe the newly edited channel appears in the list *THIS IS BAD*
15) login as orga
16) go to /network/software/channels/manage/index.pxt
17) notice you no longer have the channel from step 2 in your list.

Comment 2 Jesus M. Rodriguez 2009-04-17 20:30:07 UTC
fixed in master: 1e1bc3392c27b9ebc353014ad2f27ab2b2606780

throws a permission error if you do not have access to said channel.

Comment 3 wes hayutin 2009-05-11 14:16:41 UTC
 /network/software/channels/manage/index.pxt
 is now gone..

and you cant do it w/ changing the pid on the java page
rhn/channels/manage/Edit.do?cid=140

verified.. good catch :)

Comment 4 wes hayutin 2009-07-31 16:04:32 UTC
now get
You do not have the appropriate permission set to access the requested page. You may have reached this error page in one of several ways:

   1. You are using Konqueror 3.0, which does not handle form variables properly in all cases. Continuing to use Konqueror 3.0 will have unexpected results. If you are using Konqueror 3.0, please use another browser.
   2. Your login session has expired. For security reasons, RHN Satellite terminates your login session after 60 minutes of inactivity. To sign in again, click here.
   3. You've found an error in our site. Please contact your Support representative with details of how you received this message.
   4. Your browser does not have cookies enabled. The RHN Satellite requires cookies in order to function; if you have disabled them, please re-enable them to use the site.
   5. You've done something naughty. Stop it.

release pending

Comment 5 Brandon Perkins 2009-09-10 19:48:59 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html


Note You need to log in before you can comment on or make changes to this bug.