Bug 1100313 (CVE-2014-3491)
| Summary: | CVE-2014-3491 foreman: XSS in Configure -> Host groups key name | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Saleh <asaleh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dcleal, security-response-team, tjay |
| Target Milestone: | --- | Keywords: | Security, Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://projects.theforeman.org/issues/5881 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-30 02:41:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1130555 | ||
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881. This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves. The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time. Upstream fix: http://projects.theforeman.org/projects/foreman/repository/revisions/983075c0c0e95c0d4715591325e88c90c7f09d71 External References: http://theforeman.org/security.html#2014-3491 This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream. his issue has been addressed in the following products: Red Hat Satellite 6 Via the GA release of Satellite 6. |
Description of problem: possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-6-20140520.2 How reproducible: always Steps to Reproduce: 1. In webUI go to Configure -> Host groups -> New Host groups 2. Fill in this: Name: test<script>alert('HI')</script> Click "Submit" to create the hostgroup 3. Note that parameter name is correctly escaped in the parameters list Actual results: Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed) Expected results: Submit button should not execute javascript