Bug 499568 - Information leak in /satconfig/cgi-bin/fetch_nocpulseini.cgi
Information leak in /satconfig/cgi-bin/fetch_nocpulseini.cgi
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
520
All Linux
high Severity high
: ---
: ---
Assigned To: Miroslav Suchý
wes hayutin
/satconfig/cgi-bin/fetch_nocpulseini.cgi
:
Depends On:
Blocks: 463877
  Show dependency treegraph
 
Reported: 2009-05-07 04:49 EDT by Jan Pazdziora
Modified: 2009-09-10 14:49 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 14:49:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-05-07 04:49:09 EDT
Description of problem:

The http://FQDN/satconfig/cgi-bin/fetch_nocpulseini.cgi seems to return the whole NOCpulse.ini, with Oracle port, admin email, and all details.

I assume it is used by remote scouts but it should require some scout_shared_key or at least minimal secret.

Version-Release number of selected component (if applicable):

Satellite 5.2.0. It is also present on 5.3.0.

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Satellite, enable Monitoring (that Monitoring part might not be necessary).
2. Do GET http://FQDN/satconfig/cgi-bin/fetch_nocpulseini.cgi, from other machine.
  
Actual results:

[CommandQueue]
# SputLite configuration
exelog=/home/nocpulse/var/commands/execute_commands.log
exelogLevel=3
gritchdb=/home/nocpulse/var/commands/.gripes.gdbm
heartbeatFile=/home/nocpulse/var/commands/heartbeat
[...]

The whole configuration.

Expected results:

It should not be possible to get monitoring config this way.

Additional info:
Comment 6 Milan Zázrivec 2009-05-20 15:25:41 EDT
eventReceivers-2.20.11-4
Comment 7 Miroslav Suchý 2009-05-21 05:39:45 EDT
moving back to modified as I forgot to cherry-pick one commit to vader.
Comment 8 Miroslav Suchý 2009-05-22 07:40:23 EDT
Satellite-5.3.0-RHEL4-re20090521.1 is out 
moving ON_QA
Comment 9 wes hayutin 2009-06-02 09:02:20 EDT
Resolving grandprix.rhndev.redhat.com... 10.10.76.46
Connecting to grandprix.rhndev.redhat.com|10.10.76.46|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
19:01:03 ERROR 403: Forbidden.
Comment 10 Milan Zázrivec 2009-09-02 10:53:37 EDT
# wget http://xen60.englab.brq.redhat.com/satconfig/cgi-bin/fetch_nocpulseini.cgi
--16:51:58--  http://xen60.englab.brq.redhat.com/satconfig/cgi-bin/fetch_nocpulseini.cgi
Resolving xen60.englab.brq.redhat.com... 10.34.34.60
Connecting to xen60.englab.brq.redhat.com|10.34.34.60|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
16:51:59 ERROR 403: Forbidden.

This works from inside my satellite host (i.e. xen60).

RELEASE_PENDING
Comment 11 Brandon Perkins 2009-09-10 14:49:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.