Bug 742050 (CVE-2011-4346)

Summary: CVE-2011-4346 satellite: XSS flaw in custom system information key handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acarter, cperry, jhutar, jlieskov, jpazdziora, mjc, rlowe, security-response-team, slukasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-07 19:27:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 756768    
Bug Blocks: 622406, 756765    

Description Vincent Danen 2011-09-28 21:11:22 UTC 
A cross-site scripting (XSS) flaw was found in the way the 'System Details' => 'Details' => 'Custom Info' page of the Red Hat Network Satellite web interface sanitized value (the Description field) of the asset tag / key, assigned to the particular system, created via 'Custom System Info' page. An authenticated Red Hat Network Satellite user could use this flaw to execute arbitrary HTML or web script code via specially-crafted value for the asset 'Custom System Info' key.

Acknowledgements:

Red Hat would like to thank William Hoffmann for reporting this issue.
Comment 11 Jan Pazdziora 2011-11-22 10:02:41 UTC 
Proposed patch:

--- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig	2010-09-10 18:04:52.000000000 -0400
+++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm	2011-11-22 05:00:23.807818164 -0500
@@ -219,6 +219,7 @@
   foreach my $cv (@{$data}) {
 
     my %subs = (label => $cv->{KEY}, value => $cv->{VALUE}, key_id => $cv->{ID});
+    PXT::Utils->escapeHTML_multi(\%subs);
     $ret .= PXT::Utils->perform_substitutions($params{__block__}, \%subs);
   }
Comment 12 Jan Pazdziora 2011-11-22 10:08:30 UTC 
However, this only addresses /network/systems/details/custominfo/index.pxt.

The /network/systems/details/custominfo/edit.pxt needs to be addressed for input data like

   </textarea><script>alert(document.cookie)</script>

For that, patch

--- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig	2010-09-10 18:04:52.000000000 -0400
+++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm	2011-11-22 05:06:07.926608675 -0500
@@ -136,7 +136,7 @@
     $subs{value_created} = $data_ref->{CREATED} . " by " . PXT::Utils->escapeHTML($data_ref->{CREATED_BY});
     $subs{value_modified} = $data_ref->{LAST_MODIFIED} . " by " . PXT::Utils->escapeHTML($data_ref->{LAST_MODIFIED_BY});
     $subs{key_label} = PXT::Utils->escapeHTML($data_ref->{KEY});
-    $subs{value} = $data_ref->{VALUE};
+    $subs{value} = PXT::Utils->escapeHTML($data_ref->{VALUE});
   }
   else {
     $server->set_custom_value(-user_id => $pxt->user->id,

is also needed.
Comment 13 Jan Pazdziora 2011-11-22 10:10:36 UTC 
It should be noted that the latest Spacewalk (1.6 to be) has these WebUI pages rewritten from Perl to Java and it does not seem to suffer from the XSS issue. However, in Spacewalk, the special characters seem to be stripped, so for example

    <script>alert(document.cookie)</script>

becomes

    scriptalertdocument.cookie/script

upon save. We need to investigate and hopefully address this Spacewalk issue as well because traditionally, any character could be saved as custom info value.
Comment 14 Jan Pazdziora 2011-11-22 15:02:11 UTC 
The Spacewalk patches would be:

diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
index 4189ced..058d1d5 100644
--- a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
+++ b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
@@ -34,7 +34,7 @@
             <tr>
               <th>${current.label}</th>
               <td width="50%">
-                <pre>${current.value}</pre>
+                <pre><c:out value="${current.value}" /></pre>
                 <a href="/rhn/systems/details/UpdateCustomData.do?sid=${system.id}&cikid=${current.cikid}">
                   <bean:message key="sdc.details.customdata.editvalue"/>
                 </a>
diff --git a/java/code/webapp/WEB-INF/struts-config.xml b/java/code/webapp/WEB-INF/struts-config.xml
index 97ddfc0..ddb46f9 100644
--- a/java/code/webapp/WEB-INF/struts-config.xml
+++ b/java/code/webapp/WEB-INF/struts-config.xml
@@ -1128,6 +1128,7 @@
       <form-property name="label" type="java.lang.String" />
       <form-property name="description" type="java.lang.String" />
       <form-property name="submitted" type="java.lang.Boolean" />
+      <form-property name="no_scrub" type="java.lang.String" initial="description"/>
     </form-bean>
 
     <form-bean name="updateCustomDataForm"
@@ -1136,6 +1137,7 @@
       <form-property name="label" type="java.lang.String" />
       <form-property name="value" type="java.lang.String" />
       <form-property name="submitted" type="java.lang.Boolean" />
+      <form-property name="no_scrub" type="java.lang.String" initial="value"/>
     </form-bean>
 
     <form-bean name="updateTaskSchedule"
Comment 16 Jan Lieskovsky 2011-11-24 13:40:02 UTC 
The CVE identifier of CVE-2011-4346 has been assigned to this issue.
Comment 19 Jan Lieskovsky 2011-11-24 15:10:09 UTC 
The preliminary embargo date for this issue has been set up to Wednesday, 2011-12-07.
Comment 20 errata-xmlrpc 2011-12-07 19:15:08 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:1794 https://rhn.redhat.com/errata/RHSA-2011-1794.html