Bug 1460208
Summary: | organization name allows XSS | ||
---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | Ales Dujicek <adujicek> |
Component: | Server | Assignee: | Jiří Dostál <jdostal> |
Status: | CLOSED ERRATA | QA Contact: | Jan Hutař <jhutar> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 580 | CC: | ggainey, jdostal, jhutar, lhellebr, tkasparek, tlestach |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | component:security | ||
Fixed In Version: | spacewalk-java-2.5.14-95-sat | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-09-06 12:27:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1450111, 1471262 |
Comment 1
Tomas Lestach
2017-06-09 11:28:21 UTC
Yes, it is same on Sat 5.7. spacewalk 872c56ecf6e158c742e406ba14c0fcb28bcd711c Jiri, cannot the fix be handled in the jsp? (In reply to Tomas Lestach from comment #4) > Jiri, cannot the fix be handled in the jsp? Yeah, this can't be handled by limiting the org-name - people put all kinds of things there. The way we fix XSS in the app, is to make sure everything that shows up in the UI is escaped. Just using <c:out> is enough, it defaults to escapeXml= true' Does this need admin access to exploit? I assume setting the org name is restricted. This restricts to the Satellite Administrator role. An Organization Admin cannot change organization name (neither via WebUI, nor via API). Reverted previous commit by 5f86c30d53f6303d245fe94ba2d2b230cb3be14b spacewalk.git aa2afde75f6f9e8f2e314c9385192751541a0f41 CVE assigned and flaw bug created and linked from here, looks like we ll fix in sat 5.8 correct? spacewalk.git(master): 91a397e32933e66354816e1a6dce1ec556f9eb6d spacewalk.git(master): 930497fe4b8732f8cf8ecae9a017a7eb956a6c90 spacewalk.git(master): d7e27c64b8303f2b0303fc5f52cff908f5acae47 Re-verified with spacewalk-java-2.5.14-95. Checked for all the URLs mentioned here and Channels -> Software Channels -> * Note: You must set org name using API, if you use WebUI, the "<>" characters are removed before being saved to the database. (Creating another BZ about this inconsistency.) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2645 |