Bug 1320452
| Summary: | (CVE-2016-3079) two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Jan Hutař <jhutar> |
| Component: | WebUI | Assignee: | Grant Gainey <ggainey> |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 570 | CC: | tlestach |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | spacewalk-java-2.3.8-134-sat | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-04 15:37:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1320940 | ||
spacewalk.github: 7920542f I'm sorry, this was not part of initial reproducer, but realized and tested just now:
1/a. Systems -> select ~2 with Provisioning add-on entitlement
-> [Manage] in upper right corner of the page
/b. SSM -> Provisioninng -> Tag Systems -> enter '"><script>alert()</script>'
-> Tag Current Snapshots
/c. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags
new part:
/d. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshots
-> <snapshot_with_tag> -> Snapshot Tags
This page allows XSS as well.
Also this one:
/e. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags
-> select <xss_tag> using checkbox -> [Remove Tags]
Page "Confirm Snapshot Tag Removal" triggers it.
And while on that confirm-*-removal-note, one new step for the second issue here: 2/a. Systems -> Systems Set Manager /b. SSM -> in "Groups: Create and manage groups" click "Create" /c. Fill name: '"><script>alert(1)</script>' and random description /d. Systems -> <random_system> -> Groups -> Join /e. join that group /f. you are redirected to Groups -> List/Leave new part is: /g. Systems -> System Groups -> <xss_group> -> Delete Group This "System Group Deletion Confirmation" shows XSS and: /h. ... -> Confirm this page saying 'System group "">" deleted.' as well. Grr. Note that you can create system group with malicious name using API as well: print client.systemgroup.create(key, 'bz1181152create"><script>alert("created name")</script>', 'a"><script>alert("created desc")</script>') and to extend issue 2 even more: /i. Users -> <user> -> System Groups /j. Admin -> Users -> <user> -> System Groups spacewalk-.github: b6491eba Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0590.html |
Description of problem: There are two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it Version-Release number of selected component (if applicable): spacewalk-java-2.3.8-129.el6sat.noarch spacewalk-html-2.3.2-34.el6sat.noarch How reproducible: always Steps to Reproduce: 1/a. Systems -> select ~2 with Provisioning add-on entitlement -> [Manage] in upper right corner of the page /b. SSM -> Provisioninng -> Tag Systems -> enter '"><script>alert()</script>' -> Tag Current Snapshots /c. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags 2/a. Systems -> Systems Set Manager /b. SSM -> in "Groups: Create and manage groups" click "Create" /c. Fill name: '"><script>alert(1)</script>' and random description /d. Systems -> <random_system> -> Groups -> Join /e. join that group /f. you are redirected to Groups -> List/Leave Actual results: In 1/c, 2/d and 2/f JavaScript alerts get executed Expected results: No alerts Additional info: I'm OK with merging this bug into different XSS related if that makes sense.