Project

General

Profile

Bug #5881

CVE-2014-3491 - XSS from create/update/destroy notification boxes

Added by Dominic Cleal almost 9 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Joseph Magen
Category:
Security
Target version:
1.4.5
Difficulty:
Triaged:
Bugzilla link:
1100313
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted

How reproducible:
always

Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Name: test<script>alert('HI')</script>

Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list

Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)

Expected results:
Submit button should not execute javascript

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 3.8 KB v1 patch Dominic Cleal, 06/10/2014 04:23 PM
0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch 3.71 KB Joseph Magen, 06/11/2014 01:19 PM
0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 4.84 KB v3 patch against develop Dominic Cleal, 06/17/2014 04:03 PM
0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 3.38 KB v3 patch against 1.4-stable Dominic Cleal, 06/17/2014 04:04 PM

Related issues

Related to Foreman - Bug #6351: <br /> seen in UI errors when multiple errors exist on a resourceDuplicate2014-06-24
Related to Foreman - Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...>Closed2014-06-26
Related to Foreman - Bug #6903: "<br/>" in text when receiving error while deleting multiple hostsClosed2014-08-04

Associated revisions

Revision 983075c0 (diff)
Added by Joseph Magen almost 9 years ago

fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)

Revision dae1ac11 (diff)
Added by Joseph Magen almost 9 years ago

fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)

(cherry picked from commit 983075c0c0e95c0d4715591325e88c90c7f09d71)

Revision 3d7c94c9 (diff)
Added by Joseph Magen almost 9 years ago

fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)

Conflicts:
app/controllers/concerns/foreman/controller/taxonomies_controller.rb
app/controllers/hostgroups_controller.rb
app/controllers/roles_controller.rb

History

#1 Updated by Dominic Cleal almost 9 years ago

  • Subject changed from XSS from create/update/destroy notification boxes to EMBARGOED: XSS from create/update/destroy notification boxes

#2 Updated by Dominic Cleal almost 9 years ago

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.

(I've also seen this when deleting config groups and templates, it's a problem generally with the process_success type notifications.)

#3 Updated by Joseph Magen almost 9 years ago

  • Status changed from New to Assigned

Rails automatic escapes/sanitizes text strings when saving to the db, so this is the reason of the "strange formatting"

I emailed patch.

#4 Updated by Dominic Cleal almost 9 years ago

Please just attach the patch for review here, thanks.

#5 Updated by Dominic Cleal almost 9 years ago

Attached is the v1 patch.

Works well, though could we escape the HTML rather than sanitizing it? Just so the actual name fully shows up.

I looked into the index name display, it's just a bug in the ancestry_helper, pretty sure it's harmless. I'll file another bug once this is unembargoed.

#6 Updated by Dominic Cleal almost 9 years ago

  • Legacy Backlogs Release (now unused) set to 16

#7 Updated by Joseph Magen almost 9 years ago

new patch attached that uses CGI::escapeHTML rather than ActionController::Base.helpers.sanitize

#8 Updated by Dominic Cleal almost 9 years ago

  • Subject changed from EMBARGOED: XSS from create/update/destroy notification boxes to EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes

#9 Updated by Dominic Cleal almost 9 years ago

  • Status changed from Ready For Testing to Pending

ACK, thanks Joseph!

#10 Updated by Dominic Cleal almost 9 years ago

  • Target version changed from 1.8.2 to 1.8.1

#11 Updated by Dominic Cleal almost 9 years ago

  • Legacy Backlogs Release (now unused) changed from 16 to 19

#13 Updated by Dominic Cleal almost 9 years ago

  • Subject changed from EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes to CVE-2014-3491 - XSS from create/update/destroy notification boxes
  • Private changed from Yes to No

#14 Updated by Joseph Magen almost 9 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

#15 Updated by Dominic Cleal almost 9 years ago

Fixes committed to 1.4-stable, 1.5-stable and develop.

Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.

#16 Updated by Dominic Cleal over 8 years ago

  • Related to Bug #6351: <br /> seen in UI errors when multiple errors exist on a resource added

#17 Updated by Dominic Cleal over 8 years ago

  • Related to Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> added

#18 Updated by Dominic Cleal over 8 years ago

  • Related to Bug #6903: "<br/>" in text when receiving error while deleting multiple hosts added

Also available in: Atom PDF