Bug 1460208

Summary: organization name allows XSS
Product: Red Hat Satellite 5 Reporter: Ales Dujicek <adujicek>
Component: ServerAssignee: Jiří Dostál <jdostal>
Status: CLOSED ERRATA QA Contact: Jan Hutař <jhutar>
Severity: medium Docs Contact:
Priority: medium    
Version: 580CC: ggainey, jdostal, jhutar, lhellebr, tkasparek, tlestach
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: component:security
Fixed In Version: spacewalk-java-2.5.14-95-sat Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-06 12:27:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1450111, 1471262    

Comment 1 Tomas Lestach 2017-06-09 11:28:21 UTC 
Ales, can you confirm Sat 5.7 behaves the same?
Comment 2 Ales Dujicek 2017-06-09 12:31:42 UTC 
Yes, it is same on Sat 5.7.
Comment 3 Jiří Dostál 2017-06-23 10:44:12 UTC 
spacewalk 872c56ecf6e158c742e406ba14c0fcb28bcd711c
Comment 4 Tomas Lestach 2017-06-26 08:54:17 UTC 
Jiri, cannot the fix be handled in the jsp?
Comment 5 Grant Gainey 2017-06-26 11:49:34 UTC 
(In reply to Tomas Lestach from comment #4)
> Jiri, cannot the fix be handled in the jsp?

Yeah, this can't be handled by limiting the org-name - people put all kinds of things there. The way we fix XSS in the app, is to make sure everything that shows up in the UI is escaped. Just using <c:out> is enough, it defaults to escapeXml=
true'
Comment 6 Kurt Seifried 2017-06-26 17:42:59 UTC 
Does this need admin access to exploit? I assume setting the org name is restricted.
Comment 7 Tomas Lestach 2017-06-27 09:16:57 UTC 
This restricts to the Satellite Administrator role. An Organization Admin cannot change organization name (neither via WebUI, nor via API).
Comment 8 Jiří Dostál 2017-06-27 13:21:05 UTC 
Reverted previous commit by 5f86c30d53f6303d245fe94ba2d2b230cb3be14b

spacewalk.git aa2afde75f6f9e8f2e314c9385192751541a0f41
Comment 9 Kurt Seifried 2017-07-14 20:49:53 UTC 
CVE assigned and flaw bug created and linked from here, looks like we
ll fix in sat 5.8 correct?
Comment 14 Tomáš Kašpárek 2017-08-23 14:14:36 UTC 
spacewalk.git(master): 91a397e32933e66354816e1a6dce1ec556f9eb6d
Comment 17 Tomáš Kašpárek 2017-08-24 07:58:07 UTC 
spacewalk.git(master): 930497fe4b8732f8cf8ecae9a017a7eb956a6c90
Comment 20 Tomáš Kašpárek 2017-08-24 09:14:40 UTC 
spacewalk.git(master): d7e27c64b8303f2b0303fc5f52cff908f5acae47
Comment 23 Lukáš Hellebrandt 2017-08-30 10:06:35 UTC 
Re-verified with spacewalk-java-2.5.14-95.

Checked for all the URLs mentioned here and Channels -> Software Channels -> *

Note: You must set org name using API, if you use WebUI, the "<>" characters are removed before being saved to the database. (Creating another BZ about this inconsistency.)
Comment 24 errata-xmlrpc 2017-09-06 12:27:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2645