Red Hat Bugzilla – Bug 1320452
(CVE-2016-3079) two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it
Last modified: 2016-04-04 11:37:25 EDT
Description of problem: There are two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it Version-Release number of selected component (if applicable): spacewalk-java-2.3.8-129.el6sat.noarch spacewalk-html-2.3.2-34.el6sat.noarch How reproducible: always Steps to Reproduce: 1/a. Systems -> select ~2 with Provisioning add-on entitlement -> [Manage] in upper right corner of the page /b. SSM -> Provisioninng -> Tag Systems -> enter '"><script>alert()</script>' -> Tag Current Snapshots /c. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags 2/a. Systems -> Systems Set Manager /b. SSM -> in "Groups: Create and manage groups" click "Create" /c. Fill name: '"><script>alert(1)</script>' and random description /d. Systems -> <random_system> -> Groups -> Join /e. join that group /f. you are redirected to Groups -> List/Leave Actual results: In 1/c, 2/d and 2/f JavaScript alerts get executed Expected results: No alerts Additional info: I'm OK with merging this bug into different XSS related if that makes sense.
spacewalk.github: 7920542f
I'm sorry, this was not part of initial reproducer, but realized and tested just now: 1/a. Systems -> select ~2 with Provisioning add-on entitlement -> [Manage] in upper right corner of the page /b. SSM -> Provisioninng -> Tag Systems -> enter '"><script>alert()</script>' -> Tag Current Snapshots /c. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags new part: /d. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshots -> <snapshot_with_tag> -> Snapshot Tags This page allows XSS as well.
Also this one: /e. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags -> select <xss_tag> using checkbox -> [Remove Tags] Page "Confirm Snapshot Tag Removal" triggers it.
And while on that confirm-*-removal-note, one new step for the second issue here: 2/a. Systems -> Systems Set Manager /b. SSM -> in "Groups: Create and manage groups" click "Create" /c. Fill name: '"><script>alert(1)</script>' and random description /d. Systems -> <random_system> -> Groups -> Join /e. join that group /f. you are redirected to Groups -> List/Leave new part is: /g. Systems -> System Groups -> <xss_group> -> Delete Group This "System Group Deletion Confirmation" shows XSS and: /h. ... -> Confirm this page saying 'System group "">" deleted.' as well.
Grr. Note that you can create system group with malicious name using API as well: print client.systemgroup.create(key, 'bz1181152create"><script>alert("created name")</script>', 'a"><script>alert("created desc")</script>') and to extend issue 2 even more: /i. Users -> <user> -> System Groups /j. Admin -> Users -> <user> -> System Groups
spacewalk-.github: b6491eba
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0590.html