Bug 1322710

Summary: XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave
Product: Red Hat Satellite 5 Reporter: Jan Hutař <jhutar>
Component: WebUIAssignee: Grant Gainey <ggainey>
Status: CLOSED ERRATA QA Contact: Radovan Drazny <rdrazny>
Severity: low Docs Contact:
Priority: unspecified    
Version: 570CC: rdrazny, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-java-2.3.8-147-sat Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-26 07:46:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1322747    

Description Jan Hutař 2016-03-31 07:52:11 UTC 
Description of problem:
There is a possible XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave.


Version-Release number of selected component (if applicable):
spacewalk-java-2.3.8-134.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1. Use SSM to create group:
   Systems -> System Set Manager -> Groups -> Create Group
     Name: '"><script>alert()</script>'
     Description: whatever
   OR use API to create such a group:
     client.systemgroup.create(key, 'bz"><script>alert("created name")</script>', 'bz"><script>alert("created desc")</script>')
2. Choose system and make sure it have Provisioning add-on entitlement
3. Systems -> <system> -> Groups -> Join -> select group you have created
   in step "1."
4. Systems -> <system> -> Provisioning -> Snapshots -> <newest_one> -> Groups
5. Ensure you see that group from step "1." there. If you are not, find
   the snapshot where you can see it (if you made more actions with the
   system, this might not be trivial :-))


Actual results:
If you are in correct snapshot (see step "5."), JavaScript alert appears.


Expected results:
Group name is properly escaped.


Additional info:
Found when working on bug 1320452.
Comment 1 Grant Gainey 2016-06-09 15:34:19 UTC 
CVE is public, this BZ should be as well

spacewalk.github: 23f46724d31c476f16fb1a8fe3ee113460640f43
Comment 4 Radovan Drazny 2016-06-24 12:19:49 UTC 
Reproduced on spacewalk-java-2.3.8-142.el6sat using the reproducer from the initial report. JavaScript alert got executed as described, groups were created both by WebUI and API with the same result.
Updated to spacewalk-java-2.3.8-144.el6sat, group names in snapshots are displayed correctly, JavaScript is not executed.
VERIFIED
Comment 7 Radovan Drazny 2016-07-19 12:18:21 UTC 
Re-verified with spacewalk-java-2.3.8-147 as described in the comment #4.
Comment 9 errata-xmlrpc 2016-07-26 07:46:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1484.html