Project

General

Profile

Actions

Bug #4456

closed

CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page

Added by Dominic Cleal about 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Description
Any user who has a privilege to add bookmarks could exploit the cross site scripting vulnerability to expose other users' personal data by storing malicious scripts when adding bookmark. As the script is permanently stored, every time others access /bookmarks to view the bookmarks, they will be affected.

Severity: High

Affected URLs
http://$foreman/bookmarks

Steps
Add a bookmark with some script code(e.g. <script>alert('xss')</script>) set as its bookmark name
Access /bookmarks to view bookmarks

Result
The script will be executed.

Remedy advice
User inputs such as special characters must be validated, filtered or encoded before being returned as part of the HTML code of a page.

Reference
CWE-931 - http://cwe.mitre.org/data/definitions/931.html

Affects
Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.


Files

0001-fixes-bookmark-error.patch 0001-fixes-bookmark-error.patch 2.01 KB v1 patch Dominic Cleal, 02/26/2014 04:28 PM

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #4519: Renaming host with / in name causes "No route matches" errorClosedTomer Brisker03/03/2014Actions
Actions #1

Updated by Dominic Cleal about 10 years ago

  • Subject changed from Bookmark names are vulnerable to XSS to CVE-2014-0089 - Bookmark names are vulnerable to XSS
  • Description updated (diff)
Actions #2

Updated by Dominic Cleal about 10 years ago

Unreviewed v1 patch from Joseph.

Actions #3

Updated by Greg Sutcliffe about 10 years ago

I can't replicate this. A bookmark with the example code as name displays correctly on my bookmarks page, performs the search if selected on the Hosts page, and does not trigger the script when loaded - this is true both for admin and a normal user (with view_bookmarks, as tested with Marek's new rbac pr applied). Using Firefox 27.0.

The DB seems to show that no character conversion has occurred during save:

sqlite> select * from bookmarks;
7|<script>alert('xss')</script>|foo|hosts|t|1|User

The HTML of the page confirms it's displaying them safely:

<td><a class=" disabled" disabled="disabled" href="#" onclick="; return false;">&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;</a></td>

Just for fun I applied the attached patch anyway, and confirmed the all same behaviour and results, so the patch doesn't change anything, as far as I can tell.
Actions #4

Updated by Ohad Levy about 10 years ago

the issue is really with the exception 500 page, as the exception is treated as html safe.

every other place that you can generate an exception based on input will have this issue.

@Greg Sutcliffe, I had no problem to replicate this, ping me if you like to go over it togther

Actions #5

Updated by Joseph Magen about 10 years ago

Greg, you must start the rails server in production mode to see the error.

Actions #6

Updated by Dominic Cleal almost 10 years ago

  • Subject changed from CVE-2014-0089 - Bookmark names are vulnerable to XSS to CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page

To clarify, as Ohad said, this is an issue on the 500 error page. The bookmark page is failing to render and find an appropriate route for the bookmark containing the script tag, triggering a 500 error (which is a minor/partial DoS in itself, but not CVE-worthy) and then the 500 error page is rendering the error without HTML escaping.

Actions #7

Updated by Dominic Cleal almost 10 years ago

  • Description updated (diff)

Affects Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.

Actions #8

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #4519: Renaming host with / in name causes "No route matches" error added
Actions #9

Updated by Dominic Cleal almost 10 years ago

  • Target version changed from 1.9.1 to 1.9.0
Actions #10

Updated by Dominic Cleal almost 10 years ago

  • Due date set to 03/18/2014
Actions #11

Updated by Dominic Cleal almost 10 years ago

  • Status changed from Assigned to Pending

ACK, patch v1 is good.

Actions #13

Updated by Dominic Cleal almost 10 years ago

  • Private changed from Yes to No
Actions #14

Updated by Joseph Magen almost 10 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100
Actions #15

Updated by Dominic Cleal almost 10 years ago

  • Description updated (diff)
Actions

Also available in: Atom PDF