Bug 923464 (CVE-2013-1869) - CVE-2013-1869 Satellite/Spacewalk: header injection flaw
Summary: CVE-2013-1869 Satellite/Spacewalk: header injection flaw
Alias: CVE-2013-1869
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Dimitar Yordanov
: 923465 (view as bug list)
Depends On: 915467
Blocks: 915998 1011743
TreeView+ depends on / blocked
Reported: 2013-03-19 22:50 UTC by Vincent Danen
Modified: 2019-09-29 13:01 UTC (History)
9 users (show)

Fixed In Version: spacewalk-java-2.0.2-58-sat
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-02-11 13:09:04 UTC

Attachments (Terms of Use)
Patch to stop trusting return_url (2.02 KB, patch)
2013-11-05 20:12 UTC, Grant Gainey
no flags Details | Diff
Close header-hole (1.22 KB, patch)
2014-02-04 16:29 UTC, Grant Gainey
no flags Details | Diff
Close header-hole, attempt #2 (1.56 KB, patch)
2014-02-05 13:54 UTC, Grant Gainey
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0148 normal SHIPPED_LIVE Moderate: spacewalk-java, spacewalk-web and satellite-branding security update 2014-02-10 22:29:32 UTC

Description Vincent Danen 2013-03-19 22:50:28 UTC
Ryan Giobbi from UPMC reported a header injection flaw in the Spacewalk web UI's return URL parameter:


GET /rhn/systems/Overview.do?empty_set=true&return_url=67172%0d%0ad42e002fa0f HTTP/1.1
Host: host.example.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: https://host.example.com/rhn/YourRhn.do
Cookie: pxt-session-cookie=7053xcace9e6d1158735e6f047ab49e4e509c; JSESSIONID=FAEED8F0E45715879B0D0AFACB8ADFF7


HTTP/1.0 302 Moved Temporarily
Date: Thu, 21 Feb 2013 17:43:48 GMT
Location: https://host.example.com/rhn/systems/67172
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Set-Cookie: pxt-session-cookie=7053xcace9e6d1158735e6f047ab49e4e509c; Path=/; Secure; HttpOnly
Connection: close

Comment 1 Vincent Danen 2013-03-19 22:55:43 UTC

Red Hat would like to thank Ryan Giobbi of UPMC for reporting this issue.

Comment 2 Kurt Seifried 2013-10-10 05:07:57 UTC
*** Bug 923465 has been marked as a duplicate of this bug. ***

Comment 3 Grant Gainey 2013-11-05 20:12:06 UTC
Created attachment 820003 [details]
Patch to stop trusting return_url

Only allow return-url for 'local' URLs

Comment 4 Grant Gainey 2014-01-24 15:42:21 UTC
commit c87e821ae7d3b27b6bfb32b7955bda327b3312a9

Comment 9 Grant Gainey 2014-02-04 14:32:16 UTC
Reproduced.  Working on a fix.

Comment 10 Grant Gainey 2014-02-04 16:29:55 UTC
Created attachment 859232 [details]
Close header-hole

Comment 11 Kurt Seifried 2014-02-04 21:37:48 UTC
Patch "Close header-hole" checks for 0X0D (CR) but should also check for line feed (LF, 0X0A) just to be extra safe.

Comment 12 Tomas Hoger 2014-02-04 21:39:50 UTC
Few thoughts regarding the proposed additional fix:

- fix only checks for \r, it does not check for \n.  Doing a quick test with just %0a instead of %0d%0a still gives me a response with header injected.

- it's probably good idea to avoid other special characters, such as all control characters.  It may be possible to restrict values of return_url to a specific alphabet, or %-escape anything that is outside of some safe set of characters.

- consider ignoring return_url it if contains injected characters that can not be added there by Satellite.  Unless there's real reason to try to use safe prefix, it's safer to ignore known-malicious input.

Comment 16 Grant Gainey 2014-02-05 13:54:33 UTC
Created attachment 859668 [details]
Close header-hole, attempt #2

Kurt, Tomas - new patch, this one removes all control-characters.  This seems to be the most efficient way to deal with attempted injection, without redesigning the redirect-after-relogin path entirely.

Comment 17 Tomas Hoger 2014-02-05 16:48:29 UTC
This should prevent header injection.

Is there a reason to try to sanitize problematic value rather than reject it?  getLegalReturnUrl() already returns null if input does not have one of allowed prefixes.  Why not do the same for bad return_url values with unexpected characters?  Do you assume such may actually be generated by Satellite in some corner case?

Comment 20 Grant Gainey 2014-02-05 19:09:04 UTC
Created attachment 859798 [details]
Close header hole, final

Kurt, Tomas - final patch to be submitted to QE today.  Change from previous is to simply reject any retrun_url that contains control-characters (which means relogin drops you back to /rhn/YourRhn.do, the default starting location for Sat5)

Comment 21 Grant Gainey 2014-02-05 19:24:04 UTC
commit 3f3ce1687b5ae561bf5d8ae6450172fadfa2c2bb

Comment 25 errata-xmlrpc 2014-02-10 17:33:14 UTC
This issue has been addressed in following products:

  Red Hat Satellite Server v 5.6

Via RHSA-2014:0148 https://rhn.redhat.com/errata/RHSA-2014-0148.html

Note You need to log in before you can comment on or make changes to this bug.