XMLRPC allows unauthed users access to various methods (which it shouldn't)

Bug #858867 reported by David
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
Medium
Andres Rodriguez
Oneiric
Medium
Ubuntu Server
Precise
Medium
Ubuntu Server
Quantal
Medium
Andres Rodriguez

Bug Description

In at least oneiric, going against the "stated" defaults, it is possible for unauthorized user's to query various XMLRPC methods. Some of those methods, imho, should not be available to unauthorized users... (like reading system settings, snippets among other things).

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

Related branches

David (d--)
visibility: private → public
Changed in cobbler (Ubuntu):
importance: Undecided → High
Revision history for this message
Dave Walker (davewalker) wrote :

Confirmed, with the following. Marking medium, and tagging as a security bug. I'm not certain it exposes credentials, or anything else highly privileged. If this is not the case, please update the bug with an example.

Thanks.

#!/usr/bin/python
import xmlrpclib
server = xmlrpclib.Server("http://127.0.0.1/cobbler_api")
print server.get_distros()
print server.get_profiles()
print server.get_systems()
print server.get_images()
print server.get_repos()

Changed in cobbler (Ubuntu):
importance: High → Medium
Changed in cobbler (Ubuntu Oneiric):
status: New → Confirmed
Changed in cobbler (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Changed in cobbler (Ubuntu Oneiric):
milestone: none → oneiric-updates
Changed in cobbler (Ubuntu Precise):
milestone: none → precise-alpha-1
Revision history for this message
David (d--) wrote :

Right - well the impact / if this is even a security "bug" is going to be up to the user. Personally, I don't see why the methods are exposed without good reason - is it a requirement that they are exposed?

Dave Walker (davewalker)
Changed in cobbler (Ubuntu Oneiric):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
Changed in cobbler (Ubuntu Precise):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
Revision history for this message
Kate Stewart (kate.stewart) wrote :

updating milestone, since wasn't release as part of alpha-1

Changed in cobbler (Ubuntu Precise):
milestone: precise-alpha-1 → precise-alpha-2
tags: added: rls-mgr-p-trackign
tags: added: rls-mgr-p-tracking
removed: rls-mgr-p-trackign
Martin Pitt (pitti)
Changed in cobbler (Ubuntu):
milestone: precise-alpha-2 → ubuntu-12.04-beta-1
Martin Pitt (pitti)
Changed in cobbler (Ubuntu):
milestone: ubuntu-12.04-beta-1 → ubuntu-12.04-beta-2
Martin Pitt (pitti)
Changed in cobbler (Ubuntu Precise):
milestone: ubuntu-12.04-beta-2 → ubuntu-12.04
James Page (james-page)
Changed in cobbler (Ubuntu Precise):
milestone: ubuntu-12.04 → ubuntu-12.04.1
Changed in cobbler (Ubuntu):
milestone: ubuntu-12.04 → quantal-alpha-1
Changed in cobbler (Ubuntu):
milestone: quantal-alpha-1 → quantal-alpha-2
Changed in cobbler (Ubuntu Quantal):
milestone: quantal-alpha-2 → quantal-alpha-3
Revision history for this message
Stéphane Graber (stgraber) wrote :

Daviey: Can we get a status update on this one? are you guys still planning on having it fixed for the point release?

Changed in cobbler (Ubuntu Quantal):
status: Confirmed → Triaged
Changed in cobbler (Ubuntu Precise):
status: Confirmed → Triaged
Changed in cobbler (Ubuntu Oneiric):
status: Confirmed → Triaged
Changed in cobbler (Ubuntu Quantal):
assignee: Ubuntu Server Team (ubuntu-server) → Andres Rodriguez (andreserl)
Revision history for this message
James Cammarata (jimi-c) wrote :

In my opinion as the maintainer, this is not a bug and will not be fixed upstream. Any functions that modify data require a login, and certain functions (like those performed by koan) require access to the XMLRPC endpoint without a login or access to the token stored locally for the CLI. At no point did we say all XMLRPC functions require a login.

Beyond that, a lot of the same data that can be accessed over the web interface (namely the kickstart/preseed data) which contains information that could be considered just as sensitive (IP's, MACs, etc.). You should never have unencrypted data like plain-text passwords in your automated response files unless there is absolutely no other option and you can ensure the network they're traversing is secured.

Revision history for this message
Scott Moser (smoser) wrote :

Given James' and Daviey's comments above, I think we should just let this be.
Its more likely that sensitive information would live in the kickstart files (url=) which are not protected at all either.

Is there some appropriate way to document this and close it as such?

Revision history for this message
James Page (james-page) wrote :

Notes from todays IRC meeting:

Launchpad bug 858867 in cobbler (Ubuntu Quantal) "XMLRPC allows unauthed users access to various methods (which it shouldn't) " [Medium,Triaged] https://launchpad.net/bugs/858867
<jamespage> o/
 I second smoser's opinion on this bug
 its never going to be fixed - so please can we just 'Won't Fix' it
 upstream don't think its a bug
 any opinions?
<arosales> jamespage: any other place we should document this besides the bug?
 arun artnay ArneGoetje arosales
<jamespage> I don't think so
<zul> README.Debian perhaps
<jamespage> zul, a warning sort of statement?
<zul> jamespage: yeah
<jamespage> zul, I guess that makes sense
 robbiew roaksoax
<zul> jamespage: one liner is good enough
<jamespage> roaksoax, would you be OK todo that for quantal?
 we don't need to fix in released version IMHO
<roaksoax> jamespage: +1
<jamespage> roaksoax, ta
<arosales> roaksoax: thanks

Changed in cobbler (Ubuntu Oneiric):
status: Triaged → Won't Fix
Changed in cobbler (Ubuntu Precise):
status: Triaged → Won't Fix
James Page (james-page)
Changed in cobbler (Ubuntu Quantal):
status: Triaged → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu36

---------------
cobbler (2.2.2-0ubuntu36) quantal; urgency=low

  * debian/README.Debian: Add Warning note mentioning that XMLRPC API allows
    unauthenticated access to certain API methods. (LP: #858867)
 -- Andres Rodriguez <email address hidden> Tue, 07 Aug 2012 11:01:53 -0400

Changed in cobbler (Ubuntu Quantal):
status: Won't Fix → Fix Released
Revision history for this message
girts (girtsz) wrote :

Will it be fixed in Ubuntu 12.04 release because it is important security issue??
It is security issue!!

Revision history for this message
Dave Walker (davewalker) wrote :

This is not an issue that will be closed as described, as many do not feel that it is something that worthy of significant work. We would be happy to sponsor a patch, which exposes this as an option to disable.. but it's not something that will be driven by those currently involved. I am sorry if this is not the response you were hoping for.

Thanks.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

marking wontfix as per discussion

Changed in cobbler (Ubuntu):
milestone: quantal-alpha-3 → none
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers