CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page
|Assigned To:||Joseph Magen|
|Target version:||Sprint 21|
|Found in release:||1.4.0||Pull request:|
|Velocity based estimate||-|
Any user who has a privilege to add bookmarks could exploit the cross site scripting vulnerability to expose other users' personal data by storing malicious scripts when adding bookmark. As the script is permanently stored, every time others access /bookmarks to view the bookmarks, they will be affected.
Add a bookmark with some script code(e.g. <script>alert('xss')</script>) set as its bookmark name
Access /bookmarks to view bookmarks
The script will be executed.
User inputs such as special characters must be validated, filtered or encoded before being returned as part of the HTML code of a page.
CWE-931 - http://cwe.mitre.org/data/definitions/931.html
Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.
fixes #4456 - XSS on 500 error page and bookmark name causing render error (CVE-2014-0089)
#3 Updated by Greg Sutcliffe about 4 years ago
I can't replicate this. A bookmark with the example code as name displays correctly on my bookmarks page, performs the search if selected on the Hosts page, and does not trigger the script when loaded - this is true both for admin and a normal user (with view_bookmarks, as tested with Marek's new rbac pr applied). Using Firefox 27.0.
The DB seems to show that no character conversion has occurred during save:
sqlite> select * from bookmarks; 7|<script>alert('xss')</script>|foo|hosts|t|1|User
The HTML of the page confirms it's displaying them safely:
<td><a class=" disabled" disabled="disabled" href="#" onclick="; return false;"><script>alert('xss')</script></a></td>
Just for fun I applied the attached patch anyway, and confirmed the all same behaviour and results, so the patch doesn't change anything, as far as I can tell.
#4 Updated by Ohad Levy about 4 years ago
the issue is really with the exception 500 page, as the exception is treated as html safe.
every other place that you can generate an exception based on input will have this issue.
@Greg, I had no problem to replicate this, ping me if you like to go over it togther
#6 Updated by Dominic Cleal about 4 years ago
- Subject changed from CVE-2014-0089 - Bookmark names are vulnerable to XSS to CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page
To clarify, as Ohad said, this is an issue on the 500 error page. The bookmark page is failing to render and find an appropriate route for the bookmark containing the script tag, triggering a 500 error (which is a minor/partial DoS in itself, but not CVE-worthy) and then the 500 error page is rendering the error without HTML escaping.