search

Icinga / icingaweb2

A lightweight and extensible web interface to keep an eye on your environment. Analyse problems and act on them.
https://icinga.com/get-started/
GNU General Public License v2.0
809 stars 282 forks source link

[dev.icinga.com #12169] SECURITY: user preferences INI store seems pretty prone to hacking #2489

Open icinga-migration opened 8 years ago

icinga-migration commented 8 years ago

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12169

Created by calestyo on 2016-07-17 01:43:53 +00:00

Assignee: (none) Status: New Target Version: (none) Last Update: 2016-07-17 01:45:00 +00:00 (in Redmine)

Hi.

1) As mentioned in some other bugs before, there is no guarantee on what a username looks like. It could contain any possible evil character like / or .. as well as the ones that are syntactically important in INI files, things like [ ] = " ,

Icinga Web 2 seems to do no quoting in that area at all, which alone is already pretty bad and quite suspicious to allow for attacks.

This seems especially bad when user permission stored, as this is done (for whatever reason??) in a one-file-per-user fashion. Me, having the X509 based HTTP Basic Auth from Apache, gets a username like: /C=DE/O=GridGermany/OU=Ludwig-Maximilians-Universitaet Muenchen/CN=Christoph Anton Mitterer that is, Apache simply takes the DN and puts in in [REDIRECT_]REMOTE_USER

What does Icinga Web2? It doesn't even filter out the / and I get

  1. tree /etc/icingaweb2/preferences/ /etc/icingaweb2/preferences/ └── c=de └── o=gridgermany └── ou=ludwig-maximilians-universitaet muenchen └── cn=christoph anton mitterer └── config.ini

I haven't checked, but I'd expect you don't filter out ".." either, do you? Given that most people will unfortunately run PHP in dumb-apache-mod SAPI this means that writes can be done as www-data user (or whatever the distro uses).... which makes it quite likely that this can be used for some forms of attack (and it it's just placing config.ini in other web area).

Due to the problems described in #12160, it's right now not even really possible to harden the PHP config, as Icinga Web 2 needs very broad access rights, even to places where it shouldn't. So even if a user does that hardening on his own (unfortunately, no PHP INI examples that work out of the box are provided by you guys), he cannot do that much.

2) Another problem that we see here, when saving, you lower-case everything for no good reason (or is there any??) But there is no assertion that the username as provided by some backend is actually case insensitive! In fact I'd strongly assume this is not the case for HTTP Basic Auth user names (neither is it for X.509 client cert subject properties), e.g. /C=DE/O=GridGermany/OU=Ludwig-Maximilians-Universitaet Muenchen/CN=Christoph Anton Mitterer would be someone else than /C=DE/O=GridGermany/OU=Ludwig-Maximilians-Universitaet Muenchen/CN=christoph anton mitterer

Cheers, Chris.

icinga-migration commented 8 years ago

Updated by calestyo on 2016-07-17 01:45:00 +00:00

I've just seen, that the bug tracker doesn't align the directory tree properly... just imagine that these are shifted, i.e. each line is the subdir of the previous (and config.ini a file of the parent dir).