Bug 1320452 - (CVE-2016-3079) two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it
Summary: (CVE-2016-3079) two XSS issues due to element creation in SSM (Perl stack) an...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI
Version: 570
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Grant Gainey
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: CVE-2016-3079
TreeView+ depends on / blocked
 
Reported: 2016-03-23 09:19 UTC by Jan Hutař
Modified: 2016-04-04 15:37 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-04-04 15:37:25 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0590 normal SHIPPED_LIVE Moderate: spacewalk-java security update 2016-04-04 19:35:36 UTC

Description Jan Hutař 2016-03-23 09:19:23 UTC
Description of problem:
There are two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it


Version-Release number of selected component (if applicable):
spacewalk-java-2.3.8-129.el6sat.noarch
spacewalk-html-2.3.2-34.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1/a. Systems -> select ~2 with Provisioning add-on entitlement
     -> [Manage] in upper right corner of the page
 /b. SSM -> Provisioninng -> Tag Systems -> enter '"><script>alert()</script>'
     -> Tag Current Snapshots
 /c. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags
2/a. Systems -> Systems Set Manager
 /b. SSM -> in "Groups: Create and manage groups" click "Create"
 /c. Fill name: '"><script>alert(1)</script>' and random description
 /d. Systems -> <random_system> -> Groups -> Join
 /e. join that group
 /f. you are redirected to Groups -> List/Leave


Actual results:
In 1/c, 2/d and 2/f JavaScript alerts get executed


Expected results:
No alerts


Additional info:
I'm OK with merging this bug into different XSS related if that makes sense.

Comment 1 Grant Gainey 2016-03-28 18:58:45 UTC
spacewalk.github: 
7920542f

Comment 4 Jan Hutař 2016-03-30 09:50:23 UTC
I'm sorry, this was not part of initial reproducer, but realized and tested just now:

1/a. Systems -> select ~2 with Provisioning add-on entitlement
     -> [Manage] in upper right corner of the page
 /b. SSM -> Provisioninng -> Tag Systems -> enter '"><script>alert()</script>'
     -> Tag Current Snapshots
 /c. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags

new part:

 /d. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshots
     -> <snapshot_with_tag> -> Snapshot Tags

This page allows XSS as well.

Comment 5 Jan Hutař 2016-03-30 09:52:58 UTC
Also this one:

 /e. SSM -> Systems -> <one_of_the_systems> -> Provisioning -> Snapshot Tags
     -> select <xss_tag> using checkbox -> [Remove Tags]

Page "Confirm Snapshot Tag Removal" triggers it.

Comment 6 Jan Hutař 2016-03-30 09:59:48 UTC
And while on that confirm-*-removal-note, one new step for the second issue here:

2/a. Systems -> Systems Set Manager
 /b. SSM -> in "Groups: Create and manage groups" click "Create"
 /c. Fill name: '"><script>alert(1)</script>' and random description
 /d. Systems -> <random_system> -> Groups -> Join
 /e. join that group
 /f. you are redirected to Groups -> List/Leave

new part is:

 /g. Systems -> System Groups -> <xss_group> -> Delete Group

This "System Group Deletion Confirmation" shows XSS and:

 /h. ... -> Confirm

this page saying 'System group "">" deleted.' as well.

Comment 7 Jan Hutař 2016-03-30 10:07:40 UTC
Grr. Note that you can create system group with malicious name using API as well:

  print client.systemgroup.create(key, 'bz1181152create"><script>alert("created name")</script>', 'a"><script>alert("created desc")</script>')

and to extend issue 2 even more:

 /i. Users -> <user> -> System Groups
 /j. Admin -> Users -> <user> -> System Groups

Comment 8 Grant Gainey 2016-03-30 17:25:57 UTC
spacewalk-.github:
b6491eba

Comment 13 errata-xmlrpc 2016-04-04 15:37:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-0590.html


Note You need to log in before you can comment on or make changes to this bug.