Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 923464 - (CVE-2013-1869) CVE-2013-1869 Satellite/Spacewalk: header injection flaw
CVE-2013-1869 Satellite/Spacewalk: header injection flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Dimitar Yordanov
impact=moderate,public=20140210,repor...
: Security
: 923465 (view as bug list)
Depends On: 915467
Blocks: 915998 1011743
  Show dependency treegraph
 
Reported: 2013-03-19 18:50 EDT by Vincent Danen
Modified: 2015-07-31 03:02 EDT (History)
9 users (show)

See Also:
Fixed In Version: spacewalk-java-2.0.2-58-sat
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-11 08:09:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to stop trusting return_url (2.02 KB, patch)
2013-11-05 15:12 EST, Grant Gainey 		no flags Details | Diff
Close header-hole (1.22 KB, patch)
2014-02-04 11:29 EST, Grant Gainey 		no flags Details | Diff
Close header-hole, attempt #2 (1.56 KB, patch)
2014-02-05 08:54 EST, Grant Gainey 		no flags Details | Diff
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0148 normal SHIPPED_LIVE Moderate: spacewalk-java, spacewalk-web and satellite-branding security update 2014-02-10 17:29:32 EST

  None (edit)
Description Vincent Danen 2013-03-19 18:50:28 EDT 
Ryan Giobbi from UPMC reported a header injection flaw in the Spacewalk web UI's return URL parameter:

Request

GET /rhn/systems/Overview.do?empty_set=true&return_url=67172%0d%0ad42e002fa0f HTTP/1.1
Host: host.example.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: https://host.example.com/rhn/YourRhn.do
Cookie: pxt-session-cookie=7053xcace9e6d1158735e6f047ab49e4e509c; JSESSIONID=FAEED8F0E45715879B0D0AFACB8ADFF7

Response

HTTP/1.0 302 Moved Temporarily
Date: Thu, 21 Feb 2013 17:43:48 GMT
Location: https://host.example.com/rhn/systems/67172
d42e002fa0f
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Set-Cookie: pxt-session-cookie=7053xcace9e6d1158735e6f047ab49e4e509c; Path=/; Secure; HttpOnly
Connection: close
Comment 1 Vincent Danen 2013-03-19 18:55:43 EDT 
Acknowledgements:

Red Hat would like to thank Ryan Giobbi of UPMC for reporting this issue.
Comment 2 Kurt Seifried 2013-10-10 01:07:57 EDT 
*** Bug 923465 has been marked as a duplicate of this bug. ***
Comment 3 Grant Gainey 2013-11-05 15:12:06 EST 
Created attachment 820003 [details]
Patch to stop trusting return_url

Only allow return-url for 'local' URLs
Comment 4 Grant Gainey 2014-01-24 10:42:21 EST 
commit c87e821ae7d3b27b6bfb32b7955bda327b3312a9
Comment 9 Grant Gainey 2014-02-04 09:32:16 EST 
Reproduced.  Working on a fix.
Comment 10 Grant Gainey 2014-02-04 11:29:55 EST 
Created attachment 859232 [details]
Close header-hole
Comment 11 Kurt Seifried 2014-02-04 16:37:48 EST 
Patch "Close header-hole" checks for 0X0D (CR) but should also check for line feed (LF, 0X0A) just to be extra safe.
Comment 12 Tomas Hoger 2014-02-04 16:39:50 EST 
Few thoughts regarding the proposed additional fix:

- fix only checks for \r, it does not check for \n.  Doing a quick test with just %0a instead of %0d%0a still gives me a response with header injected.

- it's probably good idea to avoid other special characters, such as all control characters.  It may be possible to restrict values of return_url to a specific alphabet, or %-escape anything that is outside of some safe set of characters.

- consider ignoring return_url it if contains injected characters that can not be added there by Satellite.  Unless there's real reason to try to use safe prefix, it's safer to ignore known-malicious input.
Comment 16 Grant Gainey 2014-02-05 08:54:33 EST 
Created attachment 859668 [details]
Close header-hole, attempt #2

Kurt, Tomas - new patch, this one removes all control-characters.  This seems to be the most efficient way to deal with attempted injection, without redesigning the redirect-after-relogin path entirely.
Comment 17 Tomas Hoger 2014-02-05 11:48:29 EST 
This should prevent header injection.

Is there a reason to try to sanitize problematic value rather than reject it?  getLegalReturnUrl() already returns null if input does not have one of allowed prefixes.  Why not do the same for bad return_url values with unexpected characters?  Do you assume such may actually be generated by Satellite in some corner case?
Comment 20 Grant Gainey 2014-02-05 14:09:04 EST 
Created attachment 859798 [details]
Close header hole, final

Kurt, Tomas - final patch to be submitted to QE today.  Change from previous is to simply reject any retrun_url that contains control-characters (which means relogin drops you back to /rhn/YourRhn.do, the default starting location for Sat5)
Comment 21 Grant Gainey 2014-02-05 14:24:04 EST 
commit 3f3ce1687b5ae561bf5d8ae6450172fadfa2c2bb
Comment 25 errata-xmlrpc 2014-02-10 12:33:14 EST 
This issue has been addressed in following products:

  Red Hat Satellite Server v 5.6

Via RHSA-2014:0148 https://rhn.redhat.com/errata/RHSA-2014-0148.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.