Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1322710 - XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave
XSS when you create group with HTML via SSM or API and checks snapshot with t...
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI (Show other bugs)
570
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Grant Gainey
Radovan Drazny
: Security
Depends On:
Blocks: CVE-2016-3097
  Show dependency treegraph
 
Reported: 2016-03-31 03:52 EDT by Jan Hutař
Modified: 2016-07-26 03:46 EDT (History)
2 users (show)

See Also:
Fixed In Version: spacewalk-java-2.3.8-147-sat
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-26 03:46:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1484 normal SHIPPED_LIVE Moderate: spacewalk-java security and bug fix update 2016-07-26 07:45:55 EDT

  None (edit)
Description Jan Hutař 2016-03-31 03:52:11 EDT 
Description of problem:
There is a possible XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave.


Version-Release number of selected component (if applicable):
spacewalk-java-2.3.8-134.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1. Use SSM to create group:
   Systems -> System Set Manager -> Groups -> Create Group
     Name: '"><script>alert()</script>'
     Description: whatever
   OR use API to create such a group:
     client.systemgroup.create(key, 'bz"><script>alert("created name")</script>', 'bz"><script>alert("created desc")</script>')
2. Choose system and make sure it have Provisioning add-on entitlement
3. Systems -> <system> -> Groups -> Join -> select group you have created
   in step "1."
4. Systems -> <system> -> Provisioning -> Snapshots -> <newest_one> -> Groups
5. Ensure you see that group from step "1." there. If you are not, find
   the snapshot where you can see it (if you made more actions with the
   system, this might not be trivial :-))


Actual results:
If you are in correct snapshot (see step "5."), JavaScript alert appears.


Expected results:
Group name is properly escaped.


Additional info:
Found when working on bug 1320452.
Comment 1 Grant Gainey 2016-06-09 11:34:19 EDT 
CVE is public, this BZ should be as well

spacewalk.github: 23f46724d31c476f16fb1a8fe3ee113460640f43
Comment 4 Radovan Drazny 2016-06-24 08:19:49 EDT 
Reproduced on spacewalk-java-2.3.8-142.el6sat using the reproducer from the initial report. JavaScript alert got executed as described, groups were created both by WebUI and API with the same result.
Updated to spacewalk-java-2.3.8-144.el6sat, group names in snapshots are displayed correctly, JavaScript is not executed.
VERIFIED
Comment 7 Radovan Drazny 2016-07-19 08:18:21 EDT 
Re-verified with spacewalk-java-2.3.8-147 as described in the comment #4.
Comment 9 errata-xmlrpc 2016-07-26 03:46:37 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1484.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.