Bug 1460208 - organization name allows XSS
Summary: organization name allows XSS
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 580
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jiří Dostál
QA Contact: Jan Hutař
Whiteboard: component:security
Depends On:
Blocks: sat58-errata CVE-2017-7538
TreeView+ depends on / blocked
Reported: 2017-06-09 11:21 UTC by Ales Dujicek
Modified: 2017-09-06 12:27 UTC (History)
6 users (show)

Fixed In Version: spacewalk-java-2.5.14-95-sat
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-09-06 12:27:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2645 normal SHIPPED_LIVE Moderate: satellite and spacewalk security and bug fix update 2017-09-06 16:26:43 UTC

Comment 1 Tomas Lestach 2017-06-09 11:28:21 UTC
Ales, can you confirm Sat 5.7 behaves the same?

Comment 2 Ales Dujicek 2017-06-09 12:31:42 UTC
Yes, it is same on Sat 5.7.

Comment 3 Jiří Dostál 2017-06-23 10:44:12 UTC
spacewalk 872c56ecf6e158c742e406ba14c0fcb28bcd711c

Comment 4 Tomas Lestach 2017-06-26 08:54:17 UTC
Jiri, cannot the fix be handled in the jsp?

Comment 5 Grant Gainey 2017-06-26 11:49:34 UTC
(In reply to Tomas Lestach from comment #4)
> Jiri, cannot the fix be handled in the jsp?

Yeah, this can't be handled by limiting the org-name - people put all kinds of things there. The way we fix XSS in the app, is to make sure everything that shows up in the UI is escaped. Just using <c:out> is enough, it defaults to escapeXml=

Comment 6 Kurt Seifried 2017-06-26 17:42:59 UTC
Does this need admin access to exploit? I assume setting the org name is restricted.

Comment 7 Tomas Lestach 2017-06-27 09:16:57 UTC
This restricts to the Satellite Administrator role. An Organization Admin cannot change organization name (neither via WebUI, nor via API).

Comment 8 Jiří Dostál 2017-06-27 13:21:05 UTC
Reverted previous commit by 5f86c30d53f6303d245fe94ba2d2b230cb3be14b

spacewalk.git aa2afde75f6f9e8f2e314c9385192751541a0f41

Comment 9 Kurt Seifried 2017-07-14 20:49:53 UTC
CVE assigned and flaw bug created and linked from here, looks like we
ll fix in sat 5.8 correct?

Comment 14 Tomáš Kašpárek 2017-08-23 14:14:36 UTC
spacewalk.git(master): 91a397e32933e66354816e1a6dce1ec556f9eb6d

Comment 17 Tomáš Kašpárek 2017-08-24 07:58:07 UTC
spacewalk.git(master): 930497fe4b8732f8cf8ecae9a017a7eb956a6c90

Comment 20 Tomáš Kašpárek 2017-08-24 09:14:40 UTC
spacewalk.git(master): d7e27c64b8303f2b0303fc5f52cff908f5acae47

Comment 23 Lukáš Hellebrandt 2017-08-30 10:06:35 UTC
Re-verified with spacewalk-java-2.5.14-95.

Checked for all the URLs mentioned here and Channels -> Software Channels -> *

Note: You must set org name using API, if you use WebUI, the "<>" characters are removed before being saved to the database. (Creating another BZ about this inconsistency.)

Comment 24 errata-xmlrpc 2017-09-06 12:27:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.