Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1460208 - organization name allows XSS
organization name allows XSS
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
580
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Jiří Dostál
Jan Hutař
component:security
: Security, SecurityTracking
Depends On:
Blocks: sat58-errata CVE-2017-7538
  Show dependency treegraph
 
Reported: 2017-06-09 07:21 EDT by Ales Dujicek
Modified: 2017-09-06 08:27 EDT (History)
6 users (show)

See Also:
Fixed In Version: spacewalk-java-2.5.14-95-sat
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-06 08:27:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2645 normal SHIPPED_LIVE Moderate: satellite and spacewalk security and bug fix update 2017-09-06 12:26:43 EDT

  None (edit)
Comment 1 Tomas Lestach 2017-06-09 07:28:21 EDT 
Ales, can you confirm Sat 5.7 behaves the same?
Comment 2 Ales Dujicek 2017-06-09 08:31:42 EDT 
Yes, it is same on Sat 5.7.
Comment 3 Jiří Dostál 2017-06-23 06:44:12 EDT 
spacewalk 872c56ecf6e158c742e406ba14c0fcb28bcd711c
Comment 4 Tomas Lestach 2017-06-26 04:54:17 EDT 
Jiri, cannot the fix be handled in the jsp?
Comment 5 Grant Gainey 2017-06-26 07:49:34 EDT 
(In reply to Tomas Lestach from comment #4)
> Jiri, cannot the fix be handled in the jsp?

Yeah, this can't be handled by limiting the org-name - people put all kinds of things there. The way we fix XSS in the app, is to make sure everything that shows up in the UI is escaped. Just using <c:out> is enough, it defaults to escapeXml=
true'
Comment 6 Kurt Seifried 2017-06-26 13:42:59 EDT 
Does this need admin access to exploit? I assume setting the org name is restricted.
Comment 7 Tomas Lestach 2017-06-27 05:16:57 EDT 
This restricts to the Satellite Administrator role. An Organization Admin cannot change organization name (neither via WebUI, nor via API).
Comment 8 Jiří Dostál 2017-06-27 09:21:05 EDT 
Reverted previous commit by 5f86c30d53f6303d245fe94ba2d2b230cb3be14b

spacewalk.git aa2afde75f6f9e8f2e314c9385192751541a0f41
Comment 9 Kurt Seifried 2017-07-14 16:49:53 EDT 
CVE assigned and flaw bug created and linked from here, looks like we
ll fix in sat 5.8 correct?
Comment 14 Tomáš Kašpárek 2017-08-23 10:14:36 EDT 
spacewalk.git(master): 91a397e32933e66354816e1a6dce1ec556f9eb6d
Comment 17 Tomáš Kašpárek 2017-08-24 03:58:07 EDT 
spacewalk.git(master): 930497fe4b8732f8cf8ecae9a017a7eb956a6c90
Comment 20 Tomáš Kašpárek 2017-08-24 05:14:40 EDT 
spacewalk.git(master): d7e27c64b8303f2b0303fc5f52cff908f5acae47
Comment 23 Lukáš Hellebrandt 2017-08-30 06:06:35 EDT 
Re-verified with spacewalk-java-2.5.14-95.

Checked for all the URLs mentioned here and Channels -> Software Channels -> *

Note: You must set org name using API, if you use WebUI, the "<>" characters are removed before being saved to the database. (Creating another BZ about this inconsistency.)
Comment 24 errata-xmlrpc 2017-09-06 08:27:53 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2645
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.