oss-sec mailing list archives

CVE-2016-3693: Foreman application information leakage through templates

From: Dominic Cleal <dominic () cleal org>
Date: Wed, 20 Apr 2016 16:03:08 +0100

CVE-2016-3693: Foreman application information leakage through template
rendering

A provisioning template containing `inspect` will expose sensitive
information about the Rails controller and application when rendered
when using Safemode rendering (the default setting). This includes the
application secret token, possibly permitting a privilege escalation
when the app is using signed cookies.

Thanks to Ivan Necas for reporting the issue.

As a precaution, the security token may be regenerated with:

  chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb
  foreman-rake security:generate_token
  chown root /usr/share/foreman/config/initializers/local_secret_token.rb

Mitigation: remove edit_provisioning_templates from untrusted users.

Affects all known Foreman versions
Fix released in Foreman 1.11.1 and safemode 1.2.4

Patches:
1. The safemode gem (https://rubygems.org/gems/safemode) was patched to
disallow the inspect instance method:
https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f
2. Foreman was patched to use this in
https://github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2

More information:
http://theforeman.org/security.html#2016-3693
http://projects.theforeman.org/issues/14635
http://theforeman.org/

-- 
Dominic Cleal
dominic () cleal org

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE-2016-3693: Foreman application information leakage through templates Dominic Cleal (Apr 20)