Jan Rusnacko of Red Hat reports:
currently CSRF protection of CFME is based on checking the referer header.
Implementation of the check is not strict enough and permits attacker CSRF in
certain scenarios. Assuming CFME is running on cfme.host and client's browser
sent referer without a full path during authentication, attacker can mount CSRF
from domain cfme.host.evil.com, which will bypass CSRF referer check.
Code in the request_referer_service.rb contains following:
def referer_valid?(referer, string_to_test)
This check only makes sure that referer starts with string_to_test, with the
assumption that it is FQDN of CFME host. String to test is set in
DashboardController in authenticate action:
538: session['referer'] = request.referer.sub(/\?.*/,'')
When user first authenticates, CFME saves the referer. Login form, from which
user fires off authenticate request, is located at the root, so referer should
contain URL in form "https://cfme.host/". This is stripped from any parameters
and saved to session['referer'], which will again contain "https://cfme.host/"
for the rest of the session. Any subsequent user requests must include referer
starting with "https://cfme.host/".
Sending referer header raises privacy concerns. To mitigate them, referer sent
by the client may not include full URL, but only protocol+hostname instead of
full path. This is exactly idea behind original proposal of Origin header (for
details see ). Stripping full URL to hostname (or just domain) can be
achieved by for example by Referer Control addon to Firefox, or perhaps
implemented at network level as a part of company security policy.
If the client sends authenticate request without trailing "/", then
session['referer'] will contain something like "https://cfme.host", or just
"cfme.host", and attacker can simply mount CSRF from "cfme.host.evil.com" and
pass the check.
This attack on broken Referer check implementation is described in OWASP CSRF
prevention cheat sheet .
proposed upstream fix: https://github.com/ManageIQ/cfme/pull/2179
This is public now: https://github.com/ManageIQ/cfme/pull/2179
The above is not "public". It's a private repo.
This issue has been addressed in following products:
CloudForms Management Engine 5.x
Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html