Bug #11859

CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change

Added by Dominic Cleal almost 2 years ago. Updated almost 2 years ago.

Status:Closed
Priority:Normal
Assigned To:Shlomi Zadok
Category:Security
Target version:-
Difficulty: Bugzilla link:1268995
Found in release: Pull request:https://github.com/theforeman/foreman/pull/2736
Story points-
Velocity based estimate-
Release1.10.0Release relationshipAuto

Description

We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.

An example on the global parameters form is:

"><script>alert("hi")</script><b c="

Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.

Associated revisions

Revision 4f3555b2
Added by Shlomi Zadok almost 2 years ago

Fixes #11859 - handle HTML in parameters safely when hiding values (CVE-2015-5282)

History

#1 Updated by The Foreman Bot almost 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2736 added

#2 Updated by Dominic Cleal almost 2 years ago

  • Subject changed from Parameter hide/show checkbox allows XSS during textbox change to CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
  • Description updated (diff)

#3 Updated by Dominic Cleal almost 2 years ago

  • Assigned To set to Shlomi Zadok

#4 Updated by Shlomi Zadok almost 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Bryan Kearney almost 2 years ago

  • Bugzilla link set to 1268995

Also available in: Atom PDF