Bug 967910 - updates can be made cross-domain
updates can be made cross-domain
Status: NEW
Product: PressGang CCMS
Classification: Community
Component: Web-UI (Show other bugs)
1.1
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: pressgang-ccms-dev
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-28 10:36 EDT by Trevor Jay
Modified: 2013-07-11 01:53 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Trevor Jay 2013-05-28 10:36:37 EDT
Description of problem:


How reproducible:

always.

Steps to Reproduce:
1. From a bash shell with netcat installed as nc, access PressGang with the following one-liner:

echo -e "OPTIONS /pressgang-ccms/rest/1/topic/update/json HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nOrigin: http://4chan.org\r\nAccess-Control-Request-Method: POST\r\nAccess-Control-Request-Headers: content-type\r\n" | nc skynet.usersys.redhat.com 8080

Actual results:

Among the headers returned will be:

Access-Control-Allow-Headers: content-type
Access-Control-Allow-Origin: *

and

Access-Control-Allow-Methods: POST

Expected results:

Actions that update PressGang content should be restricted by a same origin policy or CSRF.

Additional info:

Allowing cross-site access itself is not necessarily a bug, nor is lack of CSRF protection. However, taking one as a "design decision" suggests the other is a bug. For the sister bug, see:

https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=axiomatic-a3af6ae0b916

This bug is part of a trio of bugs featured in a proof-of-concept (POC) drive-by attack I've written. For the others, see: https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=poc-fc5fd70a912b

To try out the POC, visit: 

http://file.bne.redhat.com/~tjay/poc/pressgang/fc5fd70a912b/

That page will generate a random nonce and attempt to add it to a PressGang topic. Open the PressGang link presented by the POC in another tab and scroll to the bottom of the XML source. You should see the nonce created in the POC has been successfully embedded in the form of a comment. Finally, examine the revisions tab and see that this revision has been associated with the user mcaspers and that the revision message also refers to the generated nonce.

In summary, arbitrary web-content can make changes to PressGang resources and associate those changes with any user. Since PressGang currently lacks authentication of any kind, there is no user or session protection to constrain the timing of these attacks to when users are "logged in". The VPN also offers no protection. Malicious users outside Red Hat may make changes to PressGang topics at will simply by having users browse malicious content while connected to the VPN.

Note You need to log in before you can comment on or make changes to this bug.