#1556 Inventory System
Closed: Fixed None Opened 14 years ago by smooge.

The Fedora System needs ways to track what hardware and virtual machines are in service, where they are located and other items that are for more managerial tasks (when do they go out of service etc). This is normally done via an inventory agent which can generate reports and such.

the project would go over the following items:
A) What open source inventory items are there?
B) Which ones best fit Fedora's infrastructure.
C) Implementation and deployment


I want to make a very strong recommendation against using OCS, as it is completely riddled with security holes. In a cursory look at of the current code in SVN trunk (with some testing on version 1.02.1 on publictest10), I found tens of SQL injection vulnerabilities (requiring no auth), and one vulnerability that allows an unauthenticated attacker to write any file apache can write to on the system with any contents.

I have documented most of these in an IRC conversation with smooge (note: some false positives are included due errors in the file that occur prior to the vulnerable call).

I'm not sure how we will handle notifying upstream about this (or if disclosure should instead go through a 3rd party instead). This is kind of an unfortunate situation for upstream because I don't think anything short of a rewrite could solve some of the issues with the code.

Replying to [comment:1 ricky]:

I want to make a very strong recommendation against using OCS, as it is completely riddled with security holes. In a cursory look at of the current code in SVN trunk (with some testing on version 1.02.1 on publictest10), I found tens of SQL injection vulnerabilities (requiring no auth), and one vulnerability that allows an unauthenticated attacker to write any file apache can write to on the system with any contents.
A correction to this: I realized last night that many of the SQL injection vulnerabilities did end up requiring auth, so the email I've sent upstream only mentioned 3 no-auth ones that I verified on publictest10 (and noted that many others were present with auth). Included was also a new one which allows an unauthenticated attacker to download a zip file of any directory apache has access to.

We are doing this now via puppet and git. Thanks skvidal

Login to comment on this ticket.

Metadata