Bug 1129846 (CVE-2014-3592)

Summary: CVE-2014-3592 OpenShift Origin: XSS in team name
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jechoi, jialiu, jkeck, jokerman, jrusnack, kseifried, lmeyer, mmccomas, mmcgrath
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-13 19:16:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1128564    
Bug Blocks:    

Description Kurt Seifried 2014-08-13 19:15:20 UTC
Jeremy Choi of Red Hat reports:

Description of problem:

Since a team's name is not properly validated, stored XSS attacks are possible. Once scripts are injected when a team is created, the scripts will be run when the team name is shown later. 

Currently, only length is checked for the team name.

(in controller/app/models/team.rb)
27   validates :name,
28     presence: {message: "Name is required and cannot be blank"},
29     length:   {maximum: 250, minimum: 2, message: "Team name must be a minimum of 2 and maximum of 250 characters."}

For the PoC of XSS steps in online devenv_5060, see below.

Version-Release number of selected component (if applicable):

How reproducible:

100%

Steps to Reproduce:
1. Create a global team with XSS payload
oo-broker
cd /var/www/openshift/broker
script/rails c
Team.create :name => "Global team 1 - <script>alert('xss')</script>"
2. Go to domain page(/app/console/domain/$domian_name) and follow the menus, 'Edit members...' -> 'Add a team...'
3. Try to make the team name shown up by searching with e.g. 'Global'

Actual results:

See the attached

Expected results:

Stricter input validation/output sanitization is required for team name.

Additional info:

Comment 1 Luke Meyer 2014-08-13 19:40:27 UTC
Global teams can only be created by administrators, whom we generally trust not to XSS their users.

The console ought to ensure the team name is properly escaped though. That does seem like a bug, if not much of a security one.

If user-owned teams can be created and displayed this way, then it's surely an XSS bug. Can't see the blocking bug to see if that's what it's about.