Bug 499568 - Information leak in /satconfig/cgi-bin/fetch_nocpulseini.cgi
Information leak in /satconfig/cgi-bin/fetch_nocpulseini.cgi
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Miroslav Suchý
wes hayutin
Depends On:
Blocks: 463877
  Show dependency treegraph
Reported: 2009-05-07 04:49 EDT by Jan Pazdziora
Modified: 2009-09-10 14:49 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-10 14:49:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-05-07 04:49:09 EDT
Description of problem:

The http://FQDN/satconfig/cgi-bin/fetch_nocpulseini.cgi seems to return the whole NOCpulse.ini, with Oracle port, admin email, and all details.

I assume it is used by remote scouts but it should require some scout_shared_key or at least minimal secret.

Version-Release number of selected component (if applicable):

Satellite 5.2.0. It is also present on 5.3.0.

How reproducible:


Steps to Reproduce:
1. Have Satellite, enable Monitoring (that Monitoring part might not be necessary).
2. Do GET http://FQDN/satconfig/cgi-bin/fetch_nocpulseini.cgi, from other machine.
Actual results:

# SputLite configuration

The whole configuration.

Expected results:

It should not be possible to get monitoring config this way.

Additional info:
Comment 6 Milan Zázrivec 2009-05-20 15:25:41 EDT
Comment 7 Miroslav Suchý 2009-05-21 05:39:45 EDT
moving back to modified as I forgot to cherry-pick one commit to vader.
Comment 8 Miroslav Suchý 2009-05-22 07:40:23 EDT
Satellite-5.3.0-RHEL4-re20090521.1 is out 
moving ON_QA
Comment 9 wes hayutin 2009-06-02 09:02:20 EDT
Resolving grandprix.rhndev.redhat.com...
Connecting to grandprix.rhndev.redhat.com||:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
19:01:03 ERROR 403: Forbidden.
Comment 10 Milan Zázrivec 2009-09-02 10:53:37 EDT
# wget http://xen60.englab.brq.redhat.com/satconfig/cgi-bin/fetch_nocpulseini.cgi
--16:51:58--  http://xen60.englab.brq.redhat.com/satconfig/cgi-bin/fetch_nocpulseini.cgi
Resolving xen60.englab.brq.redhat.com...
Connecting to xen60.englab.brq.redhat.com||:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
16:51:59 ERROR 403: Forbidden.

This works from inside my satellite host (i.e. xen60).

Comment 11 Brandon Perkins 2009-09-10 14:49:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.