Bug #5881

CVE-2014-3491 - XSS from create/update/destroy notification boxes

Added by Dominic Cleal about 3 years ago. Updated about 3 years ago.

Status:Closed
Priority:High
Assigned To:Joseph Magen
Category:Security
Target version:Sprint 25
Difficulty: Bugzilla link:1100313
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.4.5Release relationshipAuto

Description

possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted

How reproducible:
always

Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Name: test<script>alert('HI')</script>

Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list

Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)

Expected results:
Submit button should not execute javascript

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch Magnifier - v1 patch (3.8 KB) Dominic Cleal, 06/10/2014 04:23 PM

0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch Magnifier (3.71 KB) Joseph Magen, 06/11/2014 01:19 PM

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch Magnifier - v3 patch against develop (4.84 KB) Dominic Cleal, 06/17/2014 04:03 PM

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch Magnifier - v3 patch against 1.4-stable (3.38 KB) Dominic Cleal, 06/17/2014 04:04 PM


Related issues

Related to Foreman - Bug #6351: <br /> seen in UI errors when multiple errors exist on a ... Duplicate 06/24/2014
Related to Foreman - Bug #6402: Using "run puppet" feature fails: undefined method `gsub'... Closed 06/26/2014
Related to Foreman - Bug #6903: "<br/>" in text when receiving error while deleting multi... Closed 08/04/2014

Associated revisions

Revision 983075c0
Added by Joseph Magen about 3 years ago

fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)

History

#1 Updated by Dominic Cleal about 3 years ago

  • Subject changed from XSS from create/update/destroy notification boxes to EMBARGOED: XSS from create/update/destroy notification boxes

#2 Updated by Dominic Cleal about 3 years ago

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.

(I've also seen this when deleting config groups and templates, it's a problem generally with the process_success type notifications.)

#3 Updated by Joseph Magen about 3 years ago

  • Status changed from New to Assigned

Rails automatic escapes/sanitizes text strings when saving to the db, so this is the reason of the "strange formatting"

I emailed patch.

#4 Updated by Dominic Cleal about 3 years ago

Please just attach the patch for review here, thanks.

#5 Updated by Dominic Cleal about 3 years ago

Attached is the v1 patch.

Works well, though could we escape the HTML rather than sanitizing it? Just so the actual name fully shows up.

I looked into the index name display, it's just a bug in the ancestry_helper, pretty sure it's harmless. I'll file another bug once this is unembargoed.

#6 Updated by Dominic Cleal about 3 years ago

  • Release set to 1.5.1

#7 Updated by Joseph Magen about 3 years ago

new patch attached that uses CGI::escapeHTML rather than ActionController::Base.helpers.sanitize

#8 Updated by Dominic Cleal about 3 years ago

  • Subject changed from EMBARGOED: XSS from create/update/destroy notification boxes to EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes

#9 Updated by Dominic Cleal about 3 years ago

  • Status changed from Ready For Testing to Pending

ACK, thanks Joseph!

#10 Updated by Dominic Cleal about 3 years ago

  • Target version changed from Sprint 24 to Sprint 25

#11 Updated by Dominic Cleal about 3 years ago

  • Release changed from 1.5.1 to 1.4.5

#13 Updated by Dominic Cleal about 3 years ago

  • Subject changed from EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes to CVE-2014-3491 - XSS from create/update/destroy notification boxes
  • Private changed from Yes to No

#14 Updated by Joseph Magen about 3 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

#15 Updated by Dominic Cleal about 3 years ago

Fixes committed to 1.4-stable, 1.5-stable and develop.

Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.

#16 Updated by Dominic Cleal about 3 years ago

  • Related to Bug #6351: <br /> seen in UI errors when multiple errors exist on a resource added

#17 Updated by Dominic Cleal about 3 years ago

  • Related to Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> added

#18 Updated by Dominic Cleal almost 3 years ago

  • Related to Bug #6903: "<br/>" in text when receiving error while deleting multiple hosts added

Also available in: Atom PDF