Bug #4456

CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page

Added by Dominic Cleal about 3 years ago. Updated about 3 years ago.

Status:Closed
Priority:Urgent
Assigned To:Joseph Magen
Category:Security
Target version:Sprint 21
Difficulty: Bugzilla link:
Found in release:1.4.0 Pull request:
Story points-
Velocity based estimate-
Release1.4.2Release relationshipAuto

Description

Description
Any user who has a privilege to add bookmarks could exploit the cross site scripting vulnerability to expose other users' personal data by storing malicious scripts when adding bookmark. As the script is permanently stored, every time others access /bookmarks to view the bookmarks, they will be affected.

Severity: High

Affected URLs
http://$foreman/bookmarks

Steps
Add a bookmark with some script code(e.g. <script>alert('xss')</script>) set as its bookmark name
Access /bookmarks to view bookmarks

Result
The script will be executed.

Remedy advice
User inputs such as special characters must be validated, filtered or encoded before being returned as part of the HTML code of a page.

Reference
CWE-931 - http://cwe.mitre.org/data/definitions/931.html

Affects
Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.

0001-fixes-bookmark-error.patch Magnifier - v1 patch (2.01 KB) Dominic Cleal, 02/26/2014 04:28 PM


Related issues

Related to Foreman - Bug #4519: Renaming host with / in name causes "No route matches" error Closed 03/03/2014

Associated revisions

Revision 69e46d6d
Added by Joseph Magen about 3 years ago

fixes #4456 - XSS on 500 error page and bookmark name causing render error (CVE-2014-0089)

History

#1 Updated by Dominic Cleal about 3 years ago

  • Subject changed from Bookmark names are vulnerable to XSS to CVE-2014-0089 - Bookmark names are vulnerable to XSS
  • Description updated (diff)

#2 Updated by Dominic Cleal about 3 years ago

Unreviewed v1 patch from Joseph.

#3 Updated by Greg Sutcliffe about 3 years ago

I can't replicate this. A bookmark with the example code as name displays correctly on my bookmarks page, performs the search if selected on the Hosts page, and does not trigger the script when loaded - this is true both for admin and a normal user (with view_bookmarks, as tested with Marek's new rbac pr applied). Using Firefox 27.0.

The DB seems to show that no character conversion has occurred during save:

sqlite> select * from bookmarks;
7|<script>alert('xss')</script>|foo|hosts|t|1|User

The HTML of the page confirms it's displaying them safely:

<td><a class=" disabled" disabled="disabled" href="#" onclick="; return false;">&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;</a></td>

Just for fun I applied the attached patch anyway, and confirmed the all same behaviour and results, so the patch doesn't change anything, as far as I can tell.

#4 Updated by Ohad Levy about 3 years ago

the issue is really with the exception 500 page, as the exception is treated as html safe.

every other place that you can generate an exception based on input will have this issue.

@Greg, I had no problem to replicate this, ping me if you like to go over it togther

#5 Updated by Joseph Magen about 3 years ago

Greg, you must start the rails server in production mode to see the error.

#6 Updated by Dominic Cleal about 3 years ago

  • Subject changed from CVE-2014-0089 - Bookmark names are vulnerable to XSS to CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page

To clarify, as Ohad said, this is an issue on the 500 error page. The bookmark page is failing to render and find an appropriate route for the bookmark containing the script tag, triggering a 500 error (which is a minor/partial DoS in itself, but not CVE-worthy) and then the 500 error page is rendering the error without HTML escaping.

#7 Updated by Dominic Cleal about 3 years ago

  • Description updated (diff)

Affects Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.

#8 Updated by Dominic Cleal about 3 years ago

  • Related to Bug #4519: Renaming host with / in name causes "No route matches" error added

#9 Updated by Dominic Cleal about 3 years ago

  • Target version changed from Sprint 20 to Sprint 21

#10 Updated by Dominic Cleal about 3 years ago

  • Due date set to 03/18/2014

#11 Updated by Dominic Cleal about 3 years ago

  • Status changed from Assigned to Pending

ACK, patch v1 is good.

#12 Updated by Dominic Cleal about 3 years ago

  • Found in release set to 1.4.0

#13 Updated by Dominic Cleal about 3 years ago

  • Private changed from Yes to No

#14 Updated by Joseph Magen about 3 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

#15 Updated by Dominic Cleal about 3 years ago

  • Description updated (diff)

Also available in: Atom PDF