Bug 1255168 – CVE-2015-5215 ipsilon: XSS in multiple pages

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1255168 - (CVE-2015-5215) CVE-2015-5215 ipsilon: XSS in multiple pages

Summary:	CVE-2015-5215 ipsilon: XSS in multiple pages

Status:	NEW

Aliases:	CVE-2015-5215

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150819,repor...
Keywords:	Security

Depends On:	1255176 1255775
Blocks:	1255174
	Show dependency tree / graph

Reported:	2015-08-19 16:22 EDT by Kurt Seifried
Modified:	2018-06-29 18:06 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that the Ipsilon IdP server used the default configuration of the Jinja templating engine, which did not HTML escape template variables. This could be exploited to perform an XSS attack if a value from untrusted input was used in the template and rendered in the user`s browser.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kurt Seifried 2015-08-19 16:22:05 EDT

Michael Scherer of Red Hat reports:

ipsilon does not escape HTML when processing templates.

Comment 1 Simo Sorce 2015-08-19 16:35:11 EDT

Can you please be a little biut more specific ?
As far as I know jinja2 escapes by default and I am not aware that we are using manual escaping anywhere.

Comment 2 Kurt Seifried 2015-08-19 16:35:55 EDT

Created ipsilon tracking bugs for this issue:

Affects: fedora-all [bug 1255176]

Comment 4 Simo Sorce 2015-08-19 16:43:31 EDT

Uhm re-reading jinja2 documentation 3 times I finally see they say the escaping is not enabled automatically now :-(

Comment 6 Ilya Etingof 2015-08-24 04:36:01 EDT

Acknowledgement:

This issue was discovered by Michael Scherer of Red Hat.

Comment 7 Ján Rusnačko 2015-08-24 04:44:41 EDT

Analysis:

It was found that Ipsilon used default configuration of Jinja templating engine, which did not html escape template variables. This could be exploited to perform XSS attack if a value from untrusted input was used in the template that is rendered to the user`s browser.

Note You need to log in before you can comment on or make changes to this bug.