When using puppet exported resources, an administrator should always keep in mind the way the are defined. For those not familiar with puppet (a configuration management tool), exported resources are resources declared in a global store than can then be collected by other nodes.
For example, you might declare for everyhost a “backup” resource that will be collected on the backup server to create the required directories and access. That way you will not have to declare each host on the backup server.
These resources are stored by the puppet master. This means that a compromised server cannot add arbitrary exported resources to your store. However, there are potential problems with resources built from facts, as they are controlled by the node.
In the case of the backup sample, a malicious attacker could send a forged “fqdn” fact such as “../arbitrary/directory” and thus have its file layout created in an arbitrary place.
You can test this like that :
wget --certificate=mycert.pem --private-key=mykey.pem "https://puppet:8140/production/catalog/my.fqdn.stuff?facts_format=b64_zlib_yaml&facts=`cat facts`" --no-check-certificate --header='Accept: yaml'
You can get the “facts” file content by reading your access.log. In order to read it, you must, with php :
<% gzuncompress(base64_decode(urldecode(urldecode(file_get_contents('facts'))))); %>