Bug 1129846 (CVE-2014-3592) - CVE-2014-3592 OpenShift Origin: XSS in team name
Summary: CVE-2014-3592 OpenShift Origin: XSS in team name
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-3592
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140813,repor...
Depends On: 1128564
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-13 19:15 UTC by Kurt Seifried
Modified: 2019-06-08 20:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-13 19:16:16 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2014-08-13 19:15:20 UTC
Jeremy Choi of Red Hat reports:

Description of problem:

Since a team's name is not properly validated, stored XSS attacks are possible. Once scripts are injected when a team is created, the scripts will be run when the team name is shown later. 

Currently, only length is checked for the team name.

(in controller/app/models/team.rb)
27   validates :name,
28     presence: {message: "Name is required and cannot be blank"},
29     length:   {maximum: 250, minimum: 2, message: "Team name must be a minimum of 2 and maximum of 250 characters."}

For the PoC of XSS steps in online devenv_5060, see below.

Version-Release number of selected component (if applicable):

How reproducible:

100%

Steps to Reproduce:
1. Create a global team with XSS payload
oo-broker
cd /var/www/openshift/broker
script/rails c
Team.create :name => "Global team 1 - <script>alert('xss')</script>"
2. Go to domain page(/app/console/domain/$domian_name) and follow the menus, 'Edit members...' -> 'Add a team...'
3. Try to make the team name shown up by searching with e.g. 'Global'

Actual results:

See the attached

Expected results:

Stricter input validation/output sanitization is required for team name.

Additional info:

Comment 1 Luke Meyer 2014-08-13 19:40:27 UTC
Global teams can only be created by administrators, whom we generally trust not to XSS their users.

The console ought to ensure the team name is properly escaped though. That does seem like a bug, if not much of a security one.

If user-owned teams can be created and displayed this way, then it's surely an XSS bug. Can't see the blocking bug to see if that's what it's about.


Note You need to log in before you can comment on or make changes to this bug.