Ramon de C Valle (rcvalle) reports: There is a code injection vulnerability in the create method of the Bookmarks controller. The create method uses the (mass-assigned) controller attribute of the newly created bookmark in an eval statement without sanitizing it: def create @bookmark = Bookmark.new(params[:bookmark]) respond_to do |format| if @bookmark.save format.html { redirect_to(eval(@bookmark.controller+"_path"), :notice => _('Bookmark was successfully created.')) } else format.html { render :action => "new" } end end end Any user with permissions to create a bookmark can execute arbitrary code and arbitrary system commands by sending a specially-crafted POST request. The controller attribute is validated with the regular expression /\A(\S+)\Z/, which prevents us from using code containing spaces. However, this can be easily circumvented (see example (a)). The following are some possible example attacks, including arbitrary command execution.
Acknowledgements: This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Upstream tracker: http://projects.theforeman.org/issues/2631 A fix has been committed: commit ef4b97d177c58c9532730d53dca0517bc869a0ce Author: Joseph Mitchell Magen <jmagen> Date: Mon Jun 3 18:11:32 2013 +0100 fixes #2631 - fix remote code execution via controller name (CVE-2013-2121) And cherry-picked to stable branches: 1.2-stable: 2f3839eb9928bd04876c2e1bfe509cd9ed120991 1.1-stable: 8920e796a285201e9e0f6af0220e79d257077d7d The fix will be packaged as part of Foreman 1.2.0-RC2. foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975
This issue is public: http://projects.theforeman.org/issues/2631
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html