Bug 742050 (CVE-2011-4346)
Summary: | CVE-2011-4346 satellite: XSS flaw in custom system information key handling | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acarter, cperry, jhutar, jlieskov, jpazdziora, mjc, rlowe, security-response-team, slukasik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-07 19:27:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 756768 | ||
Bug Blocks: | 622406, 756765 |
Description
Vincent Danen
2011-09-28 21:11:22 UTC
Proposed patch: --- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig 2010-09-10 18:04:52.000000000 -0400 +++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm 2011-11-22 05:00:23.807818164 -0500 @@ -219,6 +219,7 @@ foreach my $cv (@{$data}) { my %subs = (label => $cv->{KEY}, value => $cv->{VALUE}, key_id => $cv->{ID}); + PXT::Utils->escapeHTML_multi(\%subs); $ret .= PXT::Utils->perform_substitutions($params{__block__}, \%subs); } However, this only addresses /network/systems/details/custominfo/index.pxt. The /network/systems/details/custominfo/edit.pxt needs to be addressed for input data like </textarea><script>alert(document.cookie)</script> For that, patch --- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig 2010-09-10 18:04:52.000000000 -0400 +++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm 2011-11-22 05:06:07.926608675 -0500 @@ -136,7 +136,7 @@ $subs{value_created} = $data_ref->{CREATED} . " by " . PXT::Utils->escapeHTML($data_ref->{CREATED_BY}); $subs{value_modified} = $data_ref->{LAST_MODIFIED} . " by " . PXT::Utils->escapeHTML($data_ref->{LAST_MODIFIED_BY}); $subs{key_label} = PXT::Utils->escapeHTML($data_ref->{KEY}); - $subs{value} = $data_ref->{VALUE}; + $subs{value} = PXT::Utils->escapeHTML($data_ref->{VALUE}); } else { $server->set_custom_value(-user_id => $pxt->user->id, is also needed. It should be noted that the latest Spacewalk (1.6 to be) has these WebUI pages rewritten from Perl to Java and it does not seem to suffer from the XSS issue. However, in Spacewalk, the special characters seem to be stripped, so for example <script>alert(document.cookie)</script> becomes scriptalertdocument.cookie/script upon save. We need to investigate and hopefully address this Spacewalk issue as well because traditionally, any character could be saved as custom info value. The Spacewalk patches would be: diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp index 4189ced..058d1d5 100644 --- a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp +++ b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp @@ -34,7 +34,7 @@ <tr> <th>${current.label}</th> <td width="50%"> - <pre>${current.value}</pre> + <pre><c:out value="${current.value}" /></pre> <a href="/rhn/systems/details/UpdateCustomData.do?sid=${system.id}&cikid=${current.cikid}"> <bean:message key="sdc.details.customdata.editvalue"/> </a> diff --git a/java/code/webapp/WEB-INF/struts-config.xml b/java/code/webapp/WEB-INF/struts-config.xml index 97ddfc0..ddb46f9 100644 --- a/java/code/webapp/WEB-INF/struts-config.xml +++ b/java/code/webapp/WEB-INF/struts-config.xml @@ -1128,6 +1128,7 @@ <form-property name="label" type="java.lang.String" /> <form-property name="description" type="java.lang.String" /> <form-property name="submitted" type="java.lang.Boolean" /> + <form-property name="no_scrub" type="java.lang.String" initial="description"/> </form-bean> <form-bean name="updateCustomDataForm" @@ -1136,6 +1137,7 @@ <form-property name="label" type="java.lang.String" /> <form-property name="value" type="java.lang.String" /> <form-property name="submitted" type="java.lang.Boolean" /> + <form-property name="no_scrub" type="java.lang.String" initial="value"/> </form-bean> <form-bean name="updateTaskSchedule" The CVE identifier of CVE-2011-4346 has been assigned to this issue. The preliminary embargo date for this issue has been set up to Wednesday, 2011-12-07. This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2011:1794 https://rhn.redhat.com/errata/RHSA-2011-1794.html |