Bug 1313515 - (CVE-2016-2104) Satellite 5: multiple XSS vulnerabilities
Summary: (CVE-2016-2104) Satellite 5: multiple XSS vulnerabilities
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI
Version: 570
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Grant Gainey
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: CVE-2016-2104
TreeView+ depends on / blocked
 
Reported: 2016-03-01 18:21 UTC by Grant Gainey
Modified: 2016-04-04 15:37 UTC (History)
3 users (show)

Fixed In Version: spacewalk-java-2.3.8-130-sat
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-04 15:37:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0590 0 normal SHIPPED_LIVE Moderate: spacewalk-java security update 2016-04-04 19:35:36 UTC

Description Grant Gainey 2016-03-01 18:21:54 UTC 
+++ This bug was initially created as a clone of Bug #1305677 +++

Adam Willard reports the following XSS flaws in Satellite 5:

/rhn/admin/BunchDetail.do?label=cobbler-sync-bunch"<script>alert(1)</script>

/rhn/software/packages/NameOverview.do?package_name=sac">Test<script>alert(1)</script>&search_subscribed_channels=yes&channel_filter=539

/rhn/software/packages/NameOverview.do?package_name=sac">Test<script>alert(1)</script>&search_subscribed_channels=yes&channel_filter=539
/rhn/software/packages/NameOverview.do?package_name=sac">Test<script>alert(1)</script>&search_subscribed_channels=yes">test<script>alert(2)</script>&channel_filter=539"><script>alert(3)</script>

<input type="hidden" name="package_name" value="sac">Test<script>alert(1)</script>" />
<input type="hidden" name="search_subscribed_channels" value="yes">test<script>alert(2)</script>" />
<input type="hidden" name="channel_filter" value="539"><script>alert(3)</script>" />

--- Additional comment from Grant Gainey on 2016-02-15 16:08:43 EST ---

BunchDetail - rhn:toolbar and rl:listset tags need to stop trusting their input

Issues with "hidden":

396 total instances where we use either <html:hidden> or <input type="hidden>, and a value output with something like 'value="${param.ksid}"/> 

214 'unique':

(1305677_XSS) ~/git/satellite/java $ find . -name \*.jsp\* | xargs grep hidden | grep 'value=\"${' | grep -v 'c:out' | cut -f 2- -d: | sort -b -u | wc -l
214

105 <html:hidden>, 109 <input type="hidden">

If the html:hidden values are coming from form-vars, then they should be getting scrubbed already (need some more investigation to verify). That would leave us with 109 instances that we'd just have to track down and store 'correctly'. Perhaps build an RhnHiddenTag that encodes its value, always, and force its use everywhere we currently use <input type="hidden">?

--- Additional comment from Grant Gainey on 2016-02-16 16:45:45 EST ---

BunchDetail - #c2 is incorrect. The issue here is constructs like the following:

  <bean:message key="bunch.edit.jsp.toolbar" arg0="${label}"/>

where 'label' is set based on incoming parameter values:

  String bunchLabel = request.getParameter("label");
  request.setAttribute("label", bunchLabel);

To avoid the XSS attack, when/wherever we do BOTH of these things, setAttribute() must be called with a StringEscapeUtils.escapeHtml() around the value.

There are 196 instances in spacewalk we should check, to fix this kind-of problem.

RE the (over)use of <input type='hidden'> with unescaped values - I have a set of changes to HiddenInputTag.java, and a sed-script that converts all of our <input type="hidden"> to <rhn:hidden> instances, which enforce always using StringEscapeUtils.escapeHtml() on the value=. This needs more testing, to make sure it doesn't break anything.

--- Additional comment from Kurt Seifried on 2016-02-24 11:45:11 EST ---

Acknowledgments:

Name: Adam Willard of Raytheon Foreground Security
Comment 2 Grant Gainey 2016-03-01 19:38:54 UTC 
spacewalk.github commits for the <input:hidden> issue:

c006504df8a66bea60d927a4c152e67bb75bebdf
94c03423b00670908d71960037a0bf376ba57f5e
fd7d7b0d1483409f2f5833a95b409886dd9cb739
497f8c8804c4b72cac80a3b13c138e2c6e08cc7c
63e3ccec4130622059e9f89fd96bcc83269383d1
f1d8321cee97c56185c1144f8de5343167d38181

More work needed to address the <bean:message> issue.
Comment 3 Grant Gainey 2016-03-01 20:35:56 UTC 
spacewalk.github 
f9444124d79af7604674be211a8ffc448b60aee9
Comment 4 Grant Gainey 2016-03-02 16:35:14 UTC 
spacewalk.github:
5b21c52f8a64626ca50bd11573bde2e21c52919d
042c364db1b450ef9b4b4117dd81c98eade7f47c
bc8026d722e058c8d77bb4735495581981db70d1
Comment 5 Grant Gainey 2016-03-04 19:54:25 UTC 
Fixes to a number of <bean:message argN="${}"/> uses.

spacewalk.github:
ec742b36ab79a0b91d67129dd814a48b980383ec
6fb0fbf5f625a99e8093b600dc8a1e90d6c34083
Comment 6 Grant Gainey 2016-03-07 16:12:13 UTC 
Fixes missing for rhn:hidden - thanks to mcalmer

spacewalk.github:
6547ef2b84c7361b2fcdfb7a04e5b2fb5ad8c631
24c44bab07c9912df068b89796b44018ea11feaf
Comment 8 errata-xmlrpc 2016-03-16 20:06:43 UTC 
Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2016:23015-02
https://errata.devel.redhat.com/advisory/23015
Comment 10 Grant Gainey 2016-03-28 17:30:49 UTC 
/rhn/admin/BunchDetail.do?label=cobbler-sync-bunch"><script>alert(1)</script>
  ... not fixed (although was not in the initial report)

spacewalk-github: 5768cce9
Comment 15 errata-xmlrpc 2016-04-04 15:37:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-0590.html
Note You need to log in before you can comment on or make changes to this bug.