Project

General

Profile

Actions

Bug #5881

closed

CVE-2014-3491 - XSS from create/update/destroy notification boxes

Added by Dominic Cleal almost 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted

How reproducible:
always

Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Name: test<script>alert('HI')</script>

Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list

Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)

Expected results:
Submit button should not execute javascript


Files


Related issues 3 (0 open3 closed)

Related to Foreman - Bug #6351: <br /> seen in UI errors when multiple errors exist on a resourceDuplicate06/24/2014Actions
Related to Foreman - Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...>ClosedDominic Cleal06/26/2014Actions
Related to Foreman - Bug #6903: "<br/>" in text when receiving error while deleting multiple hostsClosed08/04/2014Actions
Actions #1

Updated by Dominic Cleal almost 10 years ago

  • Subject changed from XSS from create/update/destroy notification boxes to EMBARGOED: XSS from create/update/destroy notification boxes
Actions #2

Updated by Dominic Cleal almost 10 years ago

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.

(I've also seen this when deleting config groups and templates, it's a problem generally with the process_success type notifications.)

Actions #3

Updated by Joseph Magen almost 10 years ago

  • Status changed from New to Assigned

Rails automatic escapes/sanitizes text strings when saving to the db, so this is the reason of the "strange formatting"

I emailed patch.

Actions #4

Updated by Dominic Cleal almost 10 years ago

Please just attach the patch for review here, thanks.

Actions #5

Updated by Dominic Cleal almost 10 years ago

Attached is the v1 patch.

Works well, though could we escape the HTML rather than sanitizing it? Just so the actual name fully shows up.

I looked into the index name display, it's just a bug in the ancestry_helper, pretty sure it's harmless. I'll file another bug once this is unembargoed.

Actions #6

Updated by Dominic Cleal almost 10 years ago

  • translation missing: en.field_release set to 16
Actions #7

Updated by Joseph Magen almost 10 years ago

new patch attached that uses CGI::escapeHTML rather than ActionController::Base.helpers.sanitize

Actions #8

Updated by Dominic Cleal almost 10 years ago

  • Subject changed from EMBARGOED: XSS from create/update/destroy notification boxes to EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes
Actions #9

Updated by Dominic Cleal almost 10 years ago

  • Status changed from Ready For Testing to Pending

ACK, thanks Joseph!

Actions #10

Updated by Dominic Cleal almost 10 years ago

  • Target version changed from 1.8.2 to 1.8.1
Actions #11

Updated by Dominic Cleal almost 10 years ago

  • translation missing: en.field_release changed from 16 to 19
Actions #13

Updated by Dominic Cleal almost 10 years ago

  • Subject changed from EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes to CVE-2014-3491 - XSS from create/update/destroy notification boxes
  • Private changed from Yes to No
Actions #14

Updated by Joseph Magen almost 10 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100
Actions #15

Updated by Dominic Cleal almost 10 years ago

Fixes committed to 1.4-stable, 1.5-stable and develop.

Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.

Actions #16

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #6351: <br /> seen in UI errors when multiple errors exist on a resource added
Actions #17

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> added
Actions #18

Updated by Dominic Cleal over 9 years ago

  • Related to Bug #6903: "<br/>" in text when receiving error while deleting multiple hosts added
Actions

Also available in: Atom PDF