Project

General

Profile

Actions
Copy link

Bug #5881

closed

CVE-2014-3491 - XSS from create/update/destroy notification boxes

Added by Dominic Cleal about 11 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
High
Assignee:
Joseph Magen
Category:
Security
Target version:
1.4.5
Difficulty:
Triaged:
Bugzilla link:
1100313
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted

How reproducible:
always

Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Name: test<script>alert('HI')</script>

Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list

Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)

Expected results:
Submit button should not execute javascript

Files

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 3.8 KB v1 patch Dominic Cleal, 06/10/2014 04:23 PM
0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch 3.71 KB Joseph Magen, 06/11/2014 01:19 PM
0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 4.84 KB v3 patch against develop Dominic Cleal, 06/17/2014 04:03 PM
0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 3.38 KB v3 patch against 1.4-stable Dominic Cleal, 06/17/2014 04:04 PM

Related issues 3 (0 open3 closed)

Related to Foreman - Bug #6351: <br /> seen in UI errors when multiple errors exist on a resourceDuplicate06/24/2014Actions
Related to Foreman - Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...>ClosedDominic Cleal06/26/2014Actions
Related to Foreman - Bug #6903: "<br/>" in text when receiving error while deleting multiple hostsClosed08/04/2014Actions
Actions
Copy link
 #1

Updated by Dominic Cleal about 11 years ago

  • Subject changed from XSS from create/update/destroy notification boxes to EMBARGOED: XSS from create/update/destroy notification boxes
Actions
Copy link
 #2

Updated by Dominic Cleal about 11 years ago

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.

(I've also seen this when deleting config groups and templates, it's a problem generally with the process_success type notifications.)

Actions
Copy link
 #3

Updated by Joseph Magen almost 11 years ago

  • Status changed from New to Assigned

Rails automatic escapes/sanitizes text strings when saving to the db, so this is the reason of the "strange formatting"

I emailed patch.

Actions
Copy link
 #4

Updated by Dominic Cleal almost 11 years ago

Please just attach the patch for review here, thanks.

Actions
Copy link
 #5

Updated by Dominic Cleal almost 11 years ago

Attached is the v1 patch.

Works well, though could we escape the HTML rather than sanitizing it? Just so the actual name fully shows up.

I looked into the index name display, it's just a bug in the ancestry_helper, pretty sure it's harmless. I'll file another bug once this is unembargoed.

Actions
Copy link
 #6

Updated by Dominic Cleal almost 11 years ago

  • Translation missing: en.field_release set to 16
Actions
Copy link
 #7

Updated by Joseph Magen almost 11 years ago

new patch attached that uses CGI::escapeHTML rather than ActionController::Base.helpers.sanitize

Actions
Copy link
 #8

Updated by Dominic Cleal almost 11 years ago

  • Subject changed from EMBARGOED: XSS from create/update/destroy notification boxes to EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes
Actions
Copy link
 #9

Updated by Dominic Cleal almost 11 years ago

  • Status changed from Ready For Testing to Pending

ACK, thanks Joseph!

Actions
Copy link
 #10

Updated by Dominic Cleal almost 11 years ago

  • Target version changed from 1.8.2 to 1.8.1
Actions
Copy link
 #11

Updated by Dominic Cleal almost 11 years ago

  • Translation missing: en.field_release changed from 16 to 19
Actions
Copy link
 #13

Updated by Dominic Cleal almost 11 years ago

  • Subject changed from EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes to CVE-2014-3491 - XSS from create/update/destroy notification boxes
  • Private changed from Yes to No
Actions
Copy link
 #14

Updated by Joseph Magen almost 11 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #15

Updated by Dominic Cleal almost 11 years ago

Fixes committed to 1.4-stable, 1.5-stable and develop.

Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.

Actions
Copy link
 #16

Updated by Dominic Cleal almost 11 years ago

  • Related to Bug #6351: <br /> seen in UI errors when multiple errors exist on a resource added
Actions
Copy link
 #17

Updated by Dominic Cleal almost 11 years ago

  • Related to Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> added
Actions
Copy link
 #18

Updated by Dominic Cleal almost 11 years ago

  • Related to Bug #6903: "<br/>" in text when receiving error while deleting multiple hosts added
Actions
Copy link

Also available in: Atom PDF