Actions
Bug #7728
openRequired SSL redirect relies on Host header, which may be spoofed
Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Description
Foreman allows SSL connection to be forced by setting require_ssl to true in settings.yaml. The enforcement is implemented in app/controllers/application_controller.rb as shown below:
def require_ssl # if SSL is not configured, don't bother forcing it. return true unless SETTINGS[:require_ssl] # don't force SSL on localhost return true if request.host=~/localhost|127.0.0.1/ # finally - redirect redirect_to :protocol => 'https' and return if request.protocol != 'https://' and not request.ssl? end
SSL connection is not forced when request comes with header Host matching /localhost|127.0.0.1/ This header can be spoofed and thus bypass the check:
$ nc 192.168.100.2 3000 <<EOF GET / HTTP/1.1 Host: 127.0.0.1 EOF HTTP/1.1 302 Found Location: http://127.0.0.1/users/login ... $ ip route get 192.168.100.2 192.168.100.2 dev virbr1 src 192.168.100.1
There are two possible solutions:
a) implement the check to rely on IP address:
return true if request.remote_ip == "127.0.0.1"
b) if not necessary remove the localhost exception altogether
Thanks to Jan Rusnacko of Red Hat Product Security for reporting the issue to us at foreman-security@googlegroups.com. We're treating this as security hardening rather than a CVE.
No data to display
Actions