Chef WebUI reveals environment select box list on failed user logins

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.12.0
Fix Version/s: 10.14.0
Component/s: WebUI
Labels:
Environment:

Chef 10.12.0 running on Debian Squeeze.

Description

This issue was revealed to us by a security consultant performing a penetration test on our production environment.

In the Chef WebUI, if you attempt to login with invalid credentials, the page that is rendered includes a populated selectbox revealing all the Environments known to the Chef server. This is privileged data being exposed to a non-authenticated user.

To reproduce, submit invalid login details on the Chef WebUI login page, or visit /users/login_exec directly on any server running the Chef WebUI.

NOTE: Changing this to Priority:Major. I think this is a fairly large security issue.

Activity

Hide

Permalink

Tyler Cloke added a comment - 13/Aug/12 10:07 PM

Fixed to clear environments when credentials fail in master and 10-stable.

https://github.com/opscode/chef/commit/584a4cf64274f1e85e9dd1cc79dc8883fec0d0ed

https://github.com/opscode/chef/commit/7a2c30b1ad2c520de0e91fbbaf7f174382511392

Show

Tyler Cloke added a comment - 13/Aug/12 10:07 PM Fixed to clear environments when credentials fail in master and 10-stable. https://github.com/opscode/chef/commit/584a4cf64274f1e85e9dd1cc79dc8883fec0d0ed https://github.com/opscode/chef/commit/7a2c30b1ad2c520de0e91fbbaf7f174382511392

People

Assignee:

Unassigned

Reporter:

Warwick Poole

Vote (0)

Watch (0)

Dates

Created:

01/Aug/12 3:44 PM

Updated:

13/Aug/12 11:18 PM

Resolved:

13/Aug/12 11:18 PM