Bug #5471
CVE-2014-0208 - Stored XSS inside search auto-complete key names via parameters
Description
Reported by Jan HutaĆ of Red Hat.
Description of problem:
There is a possible XSS: Configure -> Global parameters - key name with HTML evaluated when auto-completing
How reproducible:
always
Steps to Reproduce:
1. In webUI go to Configure -> Global parameters -> New Parameter
2. Fill in this:
Name: test<script>alert('HI')</script>
Value: something
Click "Submit" to create the parameter
3. Note that parameter name is correctly escaped in the parameters list
4. In the search bar above the table with parameters type "name = "
and wait for auto-complete function to display you recommendations
Actual results:
Once the recommendations are displayed, JavaScript alert window appears (script gets executed)
Expected results:
Stuff should be escaped in the suggested list.
Additional info:
Same happens for "value" when you type "value = " into the search box.
Associated revisions
fixes #5471 html escape auto-completer values (CVE-2014-0208)
(cherry picked from commit ee672544f1ad5990ca0e39acd86f83cbbe06ebe9)
fixes #5471 html escape auto-completer values (CVE-2014-0208)
(cherry picked from commit ee672544f1ad5990ca0e39acd86f83cbbe06ebe9)
History
#1
Updated by Dominic Cleal almost 9 years ago
- Status changed from New to Ready For Testing
- Assignee set to Amos Benari
- Legacy Backlogs Release (now unused) set to 17
#2
Updated by Dominic Cleal almost 9 years ago
- Subject changed from Stored XSS inside search auto-complete key names via parameters to CVE-2014-0208 - Stored XSS inside search auto-complete key names via parameters
#3
Updated by Dominic Cleal almost 9 years ago
- File 0001-fixes-5471-html-escape-auto-completer-values.patch 0001-fixes-5471-html-escape-auto-completer-values.patch added
- Status changed from Ready For Testing to Pending
Attaching patch from Amos against develop.
#4
Updated by Dominic Cleal almost 9 years ago
- Private changed from Yes to No
#5
Updated by Amos Benari almost 9 years ago
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Applied in changeset ee672544f1ad5990ca0e39acd86f83cbbe06ebe9.
fixes #5471 html escape auto-completer values (CVE-2014-0208)