Bug 1305677 (CVE-2016-2104) - CVE-2016-2104 Satellite 5: stored and reflected XSS vulnerabilities
Summary: CVE-2016-2104 Satellite 5: stored and reflected XSS vulnerabilities
Alias: CVE-2016-2104
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1313515
Blocks: 1305684
TreeView+ depends on / blocked
Reported: 2016-02-08 21:35 UTC by Kurt Seifried
Modified: 2021-02-17 04:22 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users.
Clone Of:
Last Closed: 2016-04-04 17:02:38 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0590 0 normal SHIPPED_LIVE Moderate: spacewalk-java security update 2016-04-04 19:35:36 UTC

Description Kurt Seifried 2016-02-08 21:35:10 UTC
Adam Willard reports the following XSS flaws in Satellite 5:




<input type="hidden" name="package_name" value="sac">Test<script>alert(1)</script>" />
<input type="hidden" name="search_subscribed_channels" value="yes">test<script>alert(2)</script>" />
<input type="hidden" name="channel_filter" value="539"><script>alert(3)</script>" />

Comment 2 Grant Gainey 2016-02-15 21:08:43 UTC
BunchDetail - rhn:toolbar and rl:listset tags need to stop trusting their input

Issues with "hidden":

396 total instances where we use either <html:hidden> or <input type="hidden>, and a value output with something like 'value="${param.ksid}"/> 

214 'unique':

(1305677_XSS) ~/git/satellite/java $ find . -name \*.jsp\* | xargs grep hidden | grep 'value=\"${' | grep -v 'c:out' | cut -f 2- -d: | sort -b -u | wc -l

105 <html:hidden>, 109 <input type="hidden">

If the html:hidden values are coming from form-vars, then they should be getting scrubbed already (need some more investigation to verify). That would leave us with 109 instances that we'd just have to track down and store 'correctly'. Perhaps build an RhnHiddenTag that encodes its value, always, and force its use everywhere we currently use <input type="hidden">?

Comment 3 Grant Gainey 2016-02-16 21:45:45 UTC
BunchDetail - #c2 is incorrect. The issue here is constructs like the following:

  <bean:message key="bunch.edit.jsp.toolbar" arg0="${label}"/>

where 'label' is set based on incoming parameter values:

  String bunchLabel = request.getParameter("label");
  request.setAttribute("label", bunchLabel);

To avoid the XSS attack, when/wherever we do BOTH of these things, setAttribute() must be called with a StringEscapeUtils.escapeHtml() around the value.

There are 196 instances in spacewalk we should check, to fix this kind-of problem.

RE the (over)use of <input type='hidden'> with unescaped values - I have a set of changes to HiddenInputTag.java, and a sed-script that converts all of our <input type="hidden"> to <rhn:hidden> instances, which enforce always using StringEscapeUtils.escapeHtml() on the value=. This needs more testing, to make sure it doesn't break anything.

Comment 4 Kurt Seifried 2016-02-24 16:45:11 UTC

Name: Adam Willard (Raytheon Foreground Security)

Comment 5 errata-xmlrpc 2016-04-04 15:36:45 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.7

Via RHSA-2016:0590 https://rhn.redhat.com/errata/RHSA-2016-0590.html

Note You need to log in before you can comment on or make changes to this bug.