Bug #5471

CVE-2014-0208 - Stored XSS inside search auto-complete key names via parameters

Added by Dominic Cleal over 3 years ago. Updated over 3 years ago.

Status:Closed
Priority:High
Assigned To:Amos Benari
Category:Security
Target version:Sprint 23
Difficulty: Bugzilla link:1088315
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.4.4Release relationshipAuto

Description

Reported by Jan Hutaƙ of Red Hat.

Description of problem:
There is a possible XSS: Configure -> Global parameters - key name with HTML evaluated when auto-completing

How reproducible:
always

Steps to Reproduce:
1. In webUI go to Configure -> Global parameters -> New Parameter
2. Fill in this:
Name: test<script>alert('HI')</script>
Value: something
Click "Submit" to create the parameter
3. Note that parameter name is correctly escaped in the parameters list
4. In the search bar above the table with parameters type "name = "
and wait for auto-complete function to display you recommendations

Actual results:
Once the recommendations are displayed, JavaScript alert window appears (script gets executed)

Expected results:
Stuff should be escaped in the suggested list.

Additional info:
Same happens for "value" when you type "value = " into the search box.

0001-fixes-5471-html-escape-auto-completer-values.patch Magnifier - v1 patch (1.53 KB) Dominic Cleal, 05/07/2014 11:05 AM

Associated revisions

Revision ee672544
Added by Amos Benari over 3 years ago

fixes #5471 html escape auto-completer values (CVE-2014-0208)

History

#1 Updated by Dominic Cleal over 3 years ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Amos Benari
  • Release set to 1.4.4

#2 Updated by Dominic Cleal over 3 years ago

  • Subject changed from Stored XSS inside search auto-complete key names via parameters to CVE-2014-0208 - Stored XSS inside search auto-complete key names via parameters

#3 Updated by Dominic Cleal over 3 years ago

Attaching patch from Amos against develop.

#4 Updated by Dominic Cleal over 3 years ago

  • Private changed from Yes to No

#5 Updated by Amos Benari over 3 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF