1322710 – XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave

Bug 1322710 - XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave

Summary: XSS when you create group with HTML via SSM or API and checks snapshot with t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	570
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Grant Gainey
QA Contact:	Radovan Drazny
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2016-3097
TreeView+	depends on / blocked

Reported:	2016-03-31 07:52 UTC by Jan Hutař
Modified:	2016-07-26 07:46 UTC (History)
CC List:	2 users (show)
Fixed In Version:	spacewalk-java-2.3.8-147-sat
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-26 07:46:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1484	0	normal	SHIPPED_LIVE	Moderate: spacewalk-java security and bug fix update	2016-07-26 11:45:55 UTC

Description Jan Hutař 2016-03-31 07:52:11 UTC

Description of problem:
There is a possible XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave.


Version-Release number of selected component (if applicable):
spacewalk-java-2.3.8-134.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1. Use SSM to create group:
   Systems -> System Set Manager -> Groups -> Create Group
     Name: '"><script>alert()</script>'
     Description: whatever
   OR use API to create such a group:
     client.systemgroup.create(key, 'bz"><script>alert("created name")</script>', 'bz"><script>alert("created desc")</script>')
2. Choose system and make sure it have Provisioning add-on entitlement
3. Systems -> <system> -> Groups -> Join -> select group you have created
   in step "1."
4. Systems -> <system> -> Provisioning -> Snapshots -> <newest_one> -> Groups
5. Ensure you see that group from step "1." there. If you are not, find
   the snapshot where you can see it (if you made more actions with the
   system, this might not be trivial :-))


Actual results:
If you are in correct snapshot (see step "5."), JavaScript alert appears.


Expected results:
Group name is properly escaped.


Additional info:
Found when working on bug 1320452.

Comment 1 Grant Gainey 2016-06-09 15:34:19 UTC

CVE is public, this BZ should be as well

spacewalk.github: 23f46724d31c476f16fb1a8fe3ee113460640f43

Comment 4 Radovan Drazny 2016-06-24 12:19:49 UTC

Reproduced on spacewalk-java-2.3.8-142.el6sat using the reproducer from the initial report. JavaScript alert got executed as described, groups were created both by WebUI and API with the same result.
Updated to spacewalk-java-2.3.8-144.el6sat, group names in snapshots are displayed correctly, JavaScript is not executed.
VERIFIED

Comment 7 Radovan Drazny 2016-07-19 12:18:21 UTC

Re-verified with spacewalk-java-2.3.8-147 as described in the comment #4.

Comment 9 errata-xmlrpc 2016-07-26 07:46:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1484.html

Note You need to log in before you can comment on or make changes to this bug.