Bug 968166 (CVE-2013-2121) - CVE-2013-2121 Foreman: app/controllers/bookmarks_controller.rb remote code execution
Summary: CVE-2013-2121 Foreman: app/controllers/bookmarks_controller.rb remote code ex...
Alias: CVE-2013-2121
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://projects.theforeman.org/issues...
Depends On: 968172 968173 969029
Blocks: 966806
TreeView+ depends on / blocked
Reported: 2013-05-29 07:08 UTC by Garth Mollett
Modified: 2023-05-12 19:11 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-05-20 05:23:38 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0995 0 normal SHIPPED_LIVE Important: Foreman security and bug fix update 2013-06-27 20:43:49 UTC

Description Garth Mollett 2013-05-29 07:08:18 UTC
Ramon de C Valle (rcvalle) reports:

There is a code injection vulnerability in the create method of the
Bookmarks controller. The create method uses the (mass-assigned)
controller attribute of the newly created bookmark in an eval statement
without sanitizing it:

def create
@bookmark = Bookmark.new(params[:bookmark])

respond_to do |format|
if @bookmark.save
format.html { redirect_to(eval(@bookmark.controller+"_path"),
:notice => _('Bookmark was successfully created.')) }
format.html { render :action => "new" }

Any user with permissions to create a bookmark can execute arbitrary
code and arbitrary system commands by sending a specially-crafted POST
request. The controller attribute is validated with the regular
expression /\A(\S+)\Z/, which prevents us from using code containing
spaces. However, this can be easily circumvented (see example (a)). The
following are some possible example attacks, including arbitrary command

Comment 4 Murray McAllister 2013-05-30 22:20:50 UTC

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.

Comment 5 Dominic Cleal 2013-06-07 09:48:22 UTC
Upstream tracker: http://projects.theforeman.org/issues/2631

A fix has been committed:
commit ef4b97d177c58c9532730d53dca0517bc869a0ce
Author: Joseph Mitchell Magen <jmagen>
Date:   Mon Jun 3 18:11:32 2013 +0100

    fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)

And cherry-picked to stable branches:
1.2-stable: 2f3839eb9928bd04876c2e1bfe509cd9ed120991
1.1-stable: 8920e796a285201e9e0f6af0220e79d257077d7d

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975

Comment 9 Kurt Seifried 2013-06-13 16:05:18 UTC
This issue is public: http://projects.theforeman.org/issues/2631

Comment 10 errata-xmlrpc 2013-06-27 16:45:31 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html

Note You need to log in before you can comment on or make changes to this bug.