Bug 966804 - (CVE-2013-2113) CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin user creation due to mass assignment
CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin us...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://projects.theforeman.org/issues...
impact=moderate,public=20130607,repor...
: Security
Depends On: 966823 966825
Blocks: 966806
  Show dependency treegraph
 
Reported: 2013-05-23 22:41 EDT by Kurt Seifried
Modified: 2016-04-26 16:28 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-15 23:47:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-05-23 22:41:48 EDT
Ramon de C Valle (rcvalle@redhat.com) reports:

There is a mass assignment vulnerability in the create method of the
UsersController controller.

The create method in app/controllers/users_controller.rb deletes the 
user-controlled user[admin] parameter from the params hash but saves it to a 
local variable and assigns it to the newly created user object bypassing the 
:attr_protected mechanism.

  def create
    admin = params[:user].delete :admin
    @user = User.new(params[:user]){|u| u.admin = admin }
    if @user.save
      @user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous"
      process_success
    else
      process_error
    end
  end

Any non-admin user with permissions to create other (non-admin) users
(i.e. with Manager role) can create arbitrary admin users by sending a
specially-crafted POST request.
Comment 4 Dominic Cleal 2013-06-07 05:48:17 EDT
Upstream tracker: http://projects.theforeman.org/issues/2630

A fix has been committed:
commit bae665de387d63f93740670ec2542db90084d0eb
Author: Marek Hulan <mhulan@redhat.com>
Date:   Thu Jun 6 11:25:17 2013 +0200

    fixes #2630 - restrict assignment of roles to those a user has (CVE-2013-2113)

And cherry-picked to stable branches:
1.2-stable: b52383d075abe611ac18db3925a787fa4b94b33b
1.1-stable: 7eadf32c83381aadc092cded68efff04ef20e07a

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975
Comment 5 Murray McAllister 2013-06-13 03:20:19 EDT
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 7 Kurt Seifried 2013-06-13 12:05:30 EDT
This issue is public: http://projects.theforeman.org/issues/2630
Comment 8 errata-xmlrpc 2013-06-27 12:44:58 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html

Note You need to log in before you can comment on or make changes to this bug.