XMLRPC allows unauthed users access to various methods (which it shouldn't)
Bug #858867 reported by
David
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cobbler (Ubuntu) |
Won't Fix
|
Medium
|
Andres Rodriguez | ||
Oneiric |
Won't Fix
|
Medium
|
Ubuntu Server | ||
Precise |
Won't Fix
|
Medium
|
Ubuntu Server | ||
Quantal |
Fix Released
|
Medium
|
Andres Rodriguez |
Bug Description
In at least oneiric, going against the "stated" defaults, it is possible for unauthorized user's to query various XMLRPC methods. Some of those methods, imho, should not be available to unauthorized users... (like reading system settings, snippets among other things).
Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git201106
Related branches
visibility: | private → public |
Changed in cobbler (Ubuntu): | |
importance: | Undecided → High |
Changed in cobbler (Ubuntu Oneiric): | |
assignee: | nobody → Ubuntu Server Team (ubuntu-server) |
Changed in cobbler (Ubuntu Precise): | |
assignee: | nobody → Ubuntu Server Team (ubuntu-server) |
Changed in cobbler (Ubuntu): | |
milestone: | precise-alpha-2 → ubuntu-12.04-beta-1 |
Changed in cobbler (Ubuntu): | |
milestone: | ubuntu-12.04-beta-1 → ubuntu-12.04-beta-2 |
Changed in cobbler (Ubuntu Precise): | |
milestone: | ubuntu-12.04-beta-2 → ubuntu-12.04 |
Changed in cobbler (Ubuntu Precise): | |
milestone: | ubuntu-12.04 → ubuntu-12.04.1 |
Changed in cobbler (Ubuntu): | |
milestone: | ubuntu-12.04 → quantal-alpha-1 |
Changed in cobbler (Ubuntu): | |
milestone: | quantal-alpha-1 → quantal-alpha-2 |
Changed in cobbler (Ubuntu Quantal): | |
milestone: | quantal-alpha-2 → quantal-alpha-3 |
Changed in cobbler (Ubuntu Quantal): | |
assignee: | Ubuntu Server Team (ubuntu-server) → Andres Rodriguez (andreserl) |
Changed in cobbler (Ubuntu Quantal): | |
status: | Triaged → Won't Fix |
To post a comment you must log in.
Confirmed, with the following. Marking medium, and tagging as a security bug. I'm not certain it exposes credentials, or anything else highly privileged. If this is not the case, please update the bug with an example.
Thanks.
#!/usr/bin/python 127.0.0. 1/cobbler_ api") get_distros( ) get_profiles( ) get_systems( )
import xmlrpclib
server = xmlrpclib.Server("http://
print server.
print server.
print server.
print server.get_images()
print server.get_repos()