CVE-2013-1399 (Console CSRF Vulnerability)
Posted February 6, 2013
Several components of the Puppet Enterprise console were vulnerable to CSRF attacks.
Cross site request forgery (CSRF) protection has been added to the following areas of the PE console: node request management, live management, and user administration. Now, basically every HTML form submitted to a server running one of these services gets a randomly generated token whose authenticity is compared against a token stored by the session of the currently logged-in user. Requests with tokens that do not authenticate (or are not present) will be answered with a "403 Forbidden" HTML status.
One exception to the CSRF protection model are HTTP requests that use basic HTTP user authorization. These are treated as "API" requests and, since by definition they include a valid (or not) username and password, they are considered secure.
Note that the Rails-based puppet dashboard application is not vulnerable due to Rails' built in CSRF protection.
This vulnerability affects the console role of Puppet Enterprise.
- Resolved in Puppet Enterprise 2.7.1