Bug 963568 (CVE-2013-2101)

Summary: CVE-2013-2101 Katello: Multiple XSS in various entities
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adprice, athomas, bkearney, cpelland, ehelms, jrusnack, kseifried, mmccune, msuchy, sclewis, security-response-team, walden
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 05:34:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 963569, 963572, 995657    
Bug Blocks: 963573, 1000138    

Description Kurt Seifried 2013-05-16 07:33:38 UTC
Eric Helms (ehelms) reports:

I have identified a number of areas and entities within Katello that are vulnerable to a cross-site scripting attack.

Reproducible: Always

Steps to Reproduce:
1. Log in
2. Navigate to Changeset/Repository/System/Distributor/Filter
3. Create a new entity from above giving it the name <a href="http://www.google.com">Entity 1</a>
4. Submit
Actual Results:  
- Notification pops up saying success with a clickable link
- Users can navigate to 'Notices' page and see clickable link from successful creation of the entity
- If creating a Changeset, the changeset name will appear clickable inside the right hand list on the Changeset Management page

Expected Results:  
The name should appear fully escaped everywhere that it is used.

This is a two fold issue:

1. This issue is not present with some entities due to model validation on the backend that prevents the use of HTML <,>,/ characters.  The entities defined above in the steps do not have this validation on their name property.

2. There are a few places where user input is not escaped on output. These locations are:
 - notices displayed to the user are marked as html_safe to account for the application putting links for the user into some notices, this has the downside of presenting all notices unescaped to the user and opening this XSS hole
 - in some areas of the application, JavaScript is used to construct templates and concatenate user input data from the server, since this data is not escaped when input to the JavaScript, the result comes out with an XSS hole

Comment 4 Bryan Kearney 2014-06-30 16:27:50 UTC
There have been several fixes (outlined below) in this area. The majority of the entities (system_group_packages, system_group_errata, promotions, repositories, changesets, distributors, content_views) are not in SAM. I vote we CLOSE/WONFIX this.


commit e0eb37f7bbf9794587f959803f4e6f5f4ec070c7
Author: Adam Price <komidore64>
Date:   Wed Aug 28 17:26:37 2013 -0400

    1001173 - User notification message should escape html characters
    from custom info
    (cherry picked from commit ddb90f4666e86c8d80cf899eef88e41bbafed524)


added to the bug. This was added in 1.4.3-12

commit c38ed1e5e9c9914af463692692a51a8c0b8bb494
Author: Adam Price <komidore64>
Date:   Wed Jul 24 17:58:53 2013 -0400

    987909 - Org names rendered as HTML
    
    making sure ORG name is escaped if it has HTML characters in its name.
    
    this includes changes to jeditable's default text.content function and a
    quick substitution of characters in displayed notices

which was added in katello-1.4.3-1

commit 40e586f4f93a785166fac9590fbf1ff6723a0cc5
Author: Adam Price <komidore64>
Date:   Wed Jul 17 11:26:48 2013 -0400

    982196 - UI editing description
    
    override jeditable's textarea 'content' function to not escape text with
    <, >

which was added in katello-1.4.3-1