Bug #12611

CVE-2015-7518 - Smart class parameters/variables shown on host edit allows stored XSS in description

Added by Dominic Cleal about 1 year ago. Updated 11 months ago.

Status:Closed
Priority:Normal
Assigned To:Tomer Brisker
Category:Security
Target version:-
Difficulty: Bugzilla link:1297040
Found in release: Pull request:https://github.com/theforeman/foreman/pull/2936
Story points-
Velocity based estimate-
Release1.10.0Release relationshipAuto

Description

Reported by Tomer Brisker to foreman-security:

I have discovered a stored XSS vulnerability in the host and hostgroup edit forms caused by smart class parameters and smart variables.

These forms display a popover that shows additional info about any of the parameters that can be overridden. The popover is rendered with HTML but contains values that can be input by a user - the parameter description, and in develop branch also the inherited value.

Effectively, any user who can edit parameters can input arbitrary HTML or JS into the description field or the default value, which will be executed once the popover is triggered by any other user.

This affects all versions of Foreman.

CVE identifier is CVE-2015-7518.


Related issues

Related to Foreman - Feature #7163: In host's edit page, show the source for the value of pup... Closed 08/20/2014
Related to Foreman - Feature #15495: URL's in parameter description New 06/22/2016

Associated revisions

Revision 32468bce
Added by Tomer Brisker 12 months ago

Fixes #12611 - CVE-2015-7518 prevent XSS on host edit form

The host edit forms allowed stored XSS attacks by storing html content
in smart class parameter and smart variable description or inherited
values, which is then passed unescaped to an html-allowing popover.
This patch makes sure these user-controlled strings are correctly
escaped before being inserted into the popover.

History

#1 Updated by Dominic Cleal about 1 year ago

  • Subject changed from Smart class parameters/variables shown on host edit allows stored XSS in description to CVE-2015-7518 - Smart class parameters/variables shown on host edit allows stored XSS in description
  • Description updated (diff)

#2 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/2936 added

#3 Updated by Anonymous 12 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Dominic Cleal 12 months ago

  • Release set to 1.10.0

#5 Updated by Dominic Cleal 12 months ago

The patch fixes a few distinct XSS paths in the same information popups:

  1. Source name in global parameters, e.g. the name of a host group (since #7163 in 1.7.0)
  2. Description field in smart variables/class parameters (since 1.2 or earlier)
  3. Matcher in smart variables/class parameter overrides (since 1.2 or earlier)
  4. Inherited value in smart variables/class parameter overrides (1.11/develop only, not released)

#6 Updated by Dominic Cleal 12 months ago

  • Related to Feature #7163: In host's edit page, show the source for the value of puppet class parameters added

#7 Updated by Bryan Kearney 11 months ago

  • Bugzilla link set to 1297040

#8 Updated by Dominic Cleal 5 months ago

Also available in: Atom PDF