Bug 2165626

Summary: PT: OSD: Content Spoofing Flaw
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2155344    

Description juneau 2023-01-30 15:40:05 UTC 
Content Spoofing in https://54.177.115.56:6443/

Synopsis
Content Spoofing (also known as Content Injection) is one of the common web security
vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual
content on the web page. The user might use the security loopholes in the website to inject the
content that he/she wishes to the target website. When an application does not properly handle
user supplied data, an attacker can supply content to a web application, typically via a
parameter value, that is reflected back to the user.

Openshift at 54.177.115.56:6443 is prone to text Injection, a subcategory of content spoofing in
which the user is able to inject only plain text into the page. In other words, it is not possible to
inject executable JavaScript content, shell commands or HTML content. The user in majority of
the cases might just be able to change some of the text content that is already on the website.
In this particular case, the actual content that is to be displayed on the UI, is passed via request
parameters. which can be modified by the user.