lack of csrf protection in cobbler-web

Bug #858878 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
High
Robie Basak
Oneiric
High
Robie Basak
Precise
High
Robie Basak

Bug Description

While cobbler makes use of the django web-framework, it does not make use of the built in csrf protection, leaving the web interface vulnerable to csrf attacks.

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

Related branches

David (d--)
description: updated
David (d--)
visibility: private → public
Changed in cobbler (Ubuntu):
importance: Undecided → High
Dave Walker (davewalker)
Changed in cobbler (Ubuntu):
milestone: none → precise-alpha-1
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

While this is targeted for Precise, it also is going to need to be backported to Oneiric as this is a security vulnerability.

Changed in cobbler (Ubuntu Precise):
milestone: none → precise-alpha-1
Changed in cobbler (Ubuntu Oneiric):
milestone: precise-alpha-1 → oneiric-updates
Changed in cobbler (Ubuntu Precise):
importance: Undecided → High
Changed in cobbler (Ubuntu Precise):
status: New → Triaged
Changed in cobbler (Ubuntu Oneiric):
status: New → Triaged
Robie Basak (racb)
Changed in cobbler (Ubuntu Oneiric):
assignee: nobody → Robie Basak (racb)
Changed in cobbler (Ubuntu Precise):
assignee: nobody → Robie Basak (racb)
Revision history for this message
Kate Stewart (kate.stewart) wrote :

Moving milestone to alpha-2, and starting tracking on this since it missed alpha-1 milestone target.

Changed in cobbler (Ubuntu Precise):
milestone: precise-alpha-1 → precise-alpha-2
Revision history for this message
Robie Basak (racb) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1, but evidently got omitted from the changelog entry. I have just verified that CSRF protection in Precise (2.2.2-0ubuntu6) is working correctly.

Still pending: SRU for Oneiric.

Changed in cobbler (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

I've prepared an upload for oneiric-security (lp:~racb/ubuntu/oneiric/cobbler/security_201112) but this still needs review and testing.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Robie - Thanks for the oneiric-security branch! I've reviewed the diff and it looks mostly good. There are a few very minor touch-ups that will be needed to the changelog:

1) Make the patch attribution style in the changelog match the examples here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

2) The last bullet says that the change is to debian/cobbler.postinst, but it is actually to debian/cobbler-web.postinst

Those are very minor and something the security team can do if there are no other changes needed to be made.

However, there is one technical concern that I have with fix for bug 858860. It doesn't seem to do anything for existing cobbler installations. In other words, if you already have a world-readable users.digest, it will stay that way after the package upgrade.

Finally, have you had a chance to do testing in Oneiric? If so, can you provide some details on the testing that was performed?

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the issues above have been fixed.

Changed in cobbler (Ubuntu Oneiric):
status: Triaged → Incomplete
tags: added: patch-needswork
Revision history for this message
Robie Basak (racb) wrote :

I have prepared lp:~racb/ubuntu/oneiric/cobbler/858878_security which addresses all of Tyler's points (thanks for the review!). Details of testing to follow.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in cobbler (Ubuntu):
status: Fix Released → Invalid
Changed in cobbler (Ubuntu Oneiric):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers