Red Hat Bugzilla – Bug 967910
updates can be made cross-domain
Last modified: 2013-07-11 01:53:53 EDT
Description of problem:
Steps to Reproduce:
1. From a bash shell with netcat installed as nc, access PressGang with the following one-liner:
echo -e "OPTIONS /pressgang-ccms/rest/1/topic/update/json HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nOrigin: http://4chan.org\r\nAccess-Control-Request-Method: POST\r\nAccess-Control-Request-Headers: content-type\r\n" | nc skynet.usersys.redhat.com 8080
Among the headers returned will be:
Actions that update PressGang content should be restricted by a same origin policy or CSRF.
Allowing cross-site access itself is not necessarily a bug, nor is lack of CSRF protection. However, taking one as a "design decision" suggests the other is a bug. For the sister bug, see:
This bug is part of a trio of bugs featured in a proof-of-concept (POC) drive-by attack I've written. For the others, see: https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=poc-fc5fd70a912b
To try out the POC, visit:
That page will generate a random nonce and attempt to add it to a PressGang topic. Open the PressGang link presented by the POC in another tab and scroll to the bottom of the XML source. You should see the nonce created in the POC has been successfully embedded in the form of a comment. Finally, examine the revisions tab and see that this revision has been associated with the user mcaspers and that the revision message also refers to the generated nonce.
In summary, arbitrary web-content can make changes to PressGang resources and associate those changes with any user. Since PressGang currently lacks authentication of any kind, there is no user or session protection to constrain the timing of these attacks to when users are "logged in". The VPN also offers no protection. Malicious users outside Red Hat may make changes to PressGang topics at will simply by having users browse malicious content while connected to the VPN.