A Cross-Site Request Forgery (CSRF) flaw was found in FreeIPA due to a lack of checking the Referer Header in the server (it is not set in the CLI utilities). If a remote attacker could trick a user, who was logged into the FreeIPA management interface, into visiting a specially-crafted URL, the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged in user.
Added Nalin as he is the maintainer of the certmonger package.
Created attachment 529392 [details]
Require a Referer in the server, send one in the clients
The xmlrpc-c api does not seem to provide a way to set arbitrary headers. It does allow you to set the user-agent string though, so we set that with an embedded line-feed (\n) and a Referer entry. It isn't pretty but it works.
Created attachment 529394 [details]
Modify certmonger to send Referer header with requests
Created attachment 530677 [details]
Updated certmonger patch to address Nalin's concerns
I added #define _GNU_SOURCE so asprintf() gets defined. I think this should be benign but you know certmonger better than I.
Created attachment 530982 [details]
Final certmonger patch
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:1533 https://rhn.redhat.com/errata/RHSA-2011-1533.html