Ramon de C Valle (rcvalle) reports: There is a mass assignment vulnerability in the create method of the UsersController controller. The create method in app/controllers/users_controller.rb deletes the user-controlled user[admin] parameter from the params hash but saves it to a local variable and assigns it to the newly created user object bypassing the :attr_protected mechanism. def create admin = params[:user].delete :admin @user = User.new(params[:user]){|u| u.admin = admin } if @user.save @user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous" process_success else process_error end end Any non-admin user with permissions to create other (non-admin) users (i.e. with Manager role) can create arbitrary admin users by sending a specially-crafted POST request.
Upstream tracker: http://projects.theforeman.org/issues/2630 A fix has been committed: commit bae665de387d63f93740670ec2542db90084d0eb Author: Marek Hulan <mhulan> Date: Thu Jun 6 11:25:17 2013 +0200 fixes #2630 - restrict assignment of roles to those a user has (CVE-2013-2113) And cherry-picked to stable branches: 1.2-stable: b52383d075abe611ac18db3925a787fa4b94b33b 1.1-stable: 7eadf32c83381aadc092cded68efff04ef20e07a The fix will be packaged as part of Foreman 1.2.0-RC2. foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975
Acknowledgements: This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
This issue is public: http://projects.theforeman.org/issues/2630
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html