Bug 1313515 - (CVE-2016-2104) Satellite 5: multiple XSS vulnerabilities
(CVE-2016-2104) Satellite 5: multiple XSS vulnerabilities
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Grant Gainey
Red Hat Satellite QA List
Depends On:
Blocks: CVE-2016-2104
  Show dependency treegraph
Reported: 2016-03-01 13:21 EST by Grant Gainey
Modified: 2016-04-04 11:37 EDT (History)
3 users (show)

See Also:
Fixed In Version: spacewalk-java-2.3.8-130-sat
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-04 11:37:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Grant Gainey 2016-03-01 13:21:54 EST
+++ This bug was initially created as a clone of Bug #1305677 +++

Adam Willard reports the following XSS flaws in Satellite 5:




<input type="hidden" name="package_name" value="sac">Test<script>alert(1)</script>" />
<input type="hidden" name="search_subscribed_channels" value="yes">test<script>alert(2)</script>" />
<input type="hidden" name="channel_filter" value="539"><script>alert(3)</script>" />

--- Additional comment from Grant Gainey on 2016-02-15 16:08:43 EST ---

BunchDetail - rhn:toolbar and rl:listset tags need to stop trusting their input

Issues with "hidden":

396 total instances where we use either <html:hidden> or <input type="hidden>, and a value output with something like 'value="${param.ksid}"/> 

214 'unique':

(1305677_XSS) ~/git/satellite/java $ find . -name \*.jsp\* | xargs grep hidden | grep 'value=\"${' | grep -v 'c:out' | cut -f 2- -d: | sort -b -u | wc -l

105 <html:hidden>, 109 <input type="hidden">

If the html:hidden values are coming from form-vars, then they should be getting scrubbed already (need some more investigation to verify). That would leave us with 109 instances that we'd just have to track down and store 'correctly'. Perhaps build an RhnHiddenTag that encodes its value, always, and force its use everywhere we currently use <input type="hidden">?

--- Additional comment from Grant Gainey on 2016-02-16 16:45:45 EST ---

BunchDetail - #c2 is incorrect. The issue here is constructs like the following:

  <bean:message key="bunch.edit.jsp.toolbar" arg0="${label}"/>

where 'label' is set based on incoming parameter values:

  String bunchLabel = request.getParameter("label");
  request.setAttribute("label", bunchLabel);

To avoid the XSS attack, when/wherever we do BOTH of these things, setAttribute() must be called with a StringEscapeUtils.escapeHtml() around the value.

There are 196 instances in spacewalk we should check, to fix this kind-of problem.

RE the (over)use of <input type='hidden'> with unescaped values - I have a set of changes to HiddenInputTag.java, and a sed-script that converts all of our <input type="hidden"> to <rhn:hidden> instances, which enforce always using StringEscapeUtils.escapeHtml() on the value=. This needs more testing, to make sure it doesn't break anything.

--- Additional comment from Kurt Seifried on 2016-02-24 11:45:11 EST ---


Name: Adam Willard of Raytheon Foreground Security
Comment 2 Grant Gainey 2016-03-01 14:38:54 EST
spacewalk.github commits for the <input:hidden> issue:


More work needed to address the <bean:message> issue.
Comment 3 Grant Gainey 2016-03-01 15:35:56 EST
Comment 4 Grant Gainey 2016-03-02 11:35:14 EST
Comment 5 Grant Gainey 2016-03-04 14:54:25 EST
Fixes to a number of <bean:message argN="${}"/> uses.

Comment 6 Grant Gainey 2016-03-07 11:12:13 EST
Fixes missing for rhn:hidden - thanks to mcalmer@suse.de

Comment 8 errata-xmlrpc 2016-03-16 16:06:43 EDT
Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2016:23015-02
Comment 10 Grant Gainey 2016-03-28 13:30:49 EDT
  ... not fixed (although was not in the initial report)

spacewalk-github: 5768cce9
Comment 15 errata-xmlrpc 2016-04-04 11:37:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.