Hide Forgot
Following a failed login in the pcsd web UI, the page reloads with the last user name that was entered. Because the user name is not sanitized, it allows a user to inject a script that will then get executed. This can be reproduced by entering the following user name in the login form: test' name=username><script>alert('hello')</script> While this would qualify as a cross-site scripting issue, it cannot be used to construct a malicious link that could be sent to an unsuspecting victim. The expected result is that the user name is properly sanitized, or not returned at all on a failed login.
Created attachment 1127307 [details] proposed fix 1
Created attachment 1127308 [details] proposed fix 2
Test: enter the following text to the login form and submit it: test' name=username><script>alert('hello')</script>
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Before fix: [vm-rhel72-1 ~] $ rpm -q pcs pcs-0.9.143-15.el7.x86_64 1 Open pcs web ui 2 enter the following text to the login form and submit it: test' name=username><script>alert('hello')</script> 3 alert box apears After Fix: [vm-rhel72-1 ~] $ rpm -q pcs pcs-0.9.151-1.el7.x86_64 1 Open pcs web ui 2 enter the following text to the login form and submit it: test' name=username><script>alert('hello')</script> 3 alert box does not apear
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2596.html