Bug 1305677 (CVE-2016-2104)
| Summary: | CVE-2016-2104 Satellite 5: stored and reflected XSS vulnerabilities | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bkearney, ggainey, meissner, security-response-team, taw, thomas, tkasparek, tlestach |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-04 17:02:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1313515 | ||
| Bug Blocks: | 1305684 | ||
|
Description
Kurt Seifried
2016-02-08 21:35:10 UTC
BunchDetail - rhn:toolbar and rl:listset tags need to stop trusting their input
Issues with "hidden":
396 total instances where we use either <html:hidden> or <input type="hidden>, and a value output with something like 'value="${param.ksid}"/>
214 'unique':
(1305677_XSS) ~/git/satellite/java $ find . -name \*.jsp\* | xargs grep hidden | grep 'value=\"${' | grep -v 'c:out' | cut -f 2- -d: | sort -b -u | wc -l
214
105 <html:hidden>, 109 <input type="hidden">
If the html:hidden values are coming from form-vars, then they should be getting scrubbed already (need some more investigation to verify). That would leave us with 109 instances that we'd just have to track down and store 'correctly'. Perhaps build an RhnHiddenTag that encodes its value, always, and force its use everywhere we currently use <input type="hidden">?
BunchDetail - #c2 is incorrect. The issue here is constructs like the following:
<bean:message key="bunch.edit.jsp.toolbar" arg0="${label}"/>
where 'label' is set based on incoming parameter values:
String bunchLabel = request.getParameter("label");
request.setAttribute("label", bunchLabel);
To avoid the XSS attack, when/wherever we do BOTH of these things, setAttribute() must be called with a StringEscapeUtils.escapeHtml() around the value.
There are 196 instances in spacewalk we should check, to fix this kind-of problem.
RE the (over)use of <input type='hidden'> with unescaped values - I have a set of changes to HiddenInputTag.java, and a sed-script that converts all of our <input type="hidden"> to <rhn:hidden> instances, which enforce always using StringEscapeUtils.escapeHtml() on the value=. This needs more testing, to make sure it doesn't break anything.
Acknowledgments: Name: Adam Willard (Raytheon Foreground Security) This issue has been addressed in the following products: Red Hat Satellite 5.7 Via RHSA-2016:0590 https://rhn.redhat.com/errata/RHSA-2016-0590.html |