| Summary: | Unsanitized input in username field on login page | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Prpič <mprpic> | ||||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 7.2 | CC: | cfeist, cluster-maint, idevat, omular, rsteiger, tojeline | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | pcs-0.9.151-1.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause:
User enters username containing HTML code to login page and submits the login form.
Consequence:
Login page reloads showing an error message informing about unsuccessful login. HTML code in username is interpreted as part of the page.
Fix:
Properly sanitize username when rendering it in login page.
Result:
Username cannot be used for HTML injection anymore.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-11-03 20:57:15 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 1127307 [details]
proposed fix 1
Created attachment 1127308 [details]
proposed fix 2
Test:
enter the following text to the login form and submit it:
test' name=username><script>alert('hello')</script>
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Before fix:
[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.143-15.el7.x86_64
1 Open pcs web ui
2 enter the following text to the login form and submit it:
test' name=username><script>alert('hello')</script>
3 alert box apears
After Fix:
[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.151-1.el7.x86_64
1 Open pcs web ui
2 enter the following text to the login form and submit it:
test' name=username><script>alert('hello')</script>
3 alert box does not apear
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2596.html |
Following a failed login in the pcsd web UI, the page reloads with the last user name that was entered. Because the user name is not sanitized, it allows a user to inject a script that will then get executed. This can be reproduced by entering the following user name in the login form: test' name=username><script>alert('hello')</script> While this would qualify as a cross-site scripting issue, it cannot be used to construct a malicious link that could be sent to an unsuspecting victim. The expected result is that the user name is properly sanitized, or not returned at all on a failed login.