Bug 1478587 - Bodhi: Javascript injection in detail view
Summary: Bodhi: Javascript injection in detail view
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bodhi
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Randy Barlow
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-04 21:18 UTC by Marcel
Modified: 2017-09-02 20:48 UTC (History)
4 users (show)

Fixed In Version: bodhi-2.9.1-1.fc27 bodhi-2.9.1-1.fc26 bodhi-2.9.1-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-20 18:28:21 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Github fedora-infra bodhi issues 1740 None None None 2017-08-10 15:54:13 UTC

Description Marcel 2017-08-04 21:18:04 UTC 
Description of problem:
It is possible to inject Javascript into the bodhi webclient.

Version-Release number of selected component (if applicable):
bodhi-2.8.1

How reproducible:
Always

Steps to Reproduce:
1. Open https://bodhi.fedoraproject.org/updates/FEDORA-2017-3c92db10b8
2. Go to tab "Bugs"

Actual results:
You'll see a bug "#1473091 should be optional"

Expected results:
"#1473091 <disk> <driver name=...> should be optional"

Additional info:
The bug summary in this view should be escaped, as the current behavior allows an attacker to create a bug with a summary like "<script src='...'>" and let visitors of bodhi load JS.
Comment 1 Patrick Uiterwijk 2017-08-10 14:29:58 UTC 
This issue has been assigned CVE-2017-1002152.
Comment 2 Randy Barlow 2017-08-10 14:30:52 UTC 
In order to take advantage of this, someone would need to set a Bugzilla subject field to text that contains JavaScript and get a packager to create an update that references that bug. Thus, it's more complex than simply typing the JS into Bugzilla's interface directly, and requires a user with elevated privileges (a packager) to perform an action. Certainly not impossible, but not simple either. Thanks for the report!
Comment 3 Randy Barlow 2017-08-10 15:54:13 UTC 
Since this is filed publicly here, I have filed this upstream and we will track work on it there.
Comment 4 Jan Kurik 2017-08-15 06:37:57 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 5 Fedora Update System 2017-08-15 22:30:18 UTC 
bodhi-2.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
Comment 6 Fedora Update System 2017-08-15 22:40:51 UTC 
bodhi-2.9.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
Comment 7 Fedora Update System 2017-08-18 20:21:46 UTC 
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
Comment 8 Fedora Update System 2017-08-19 18:52:06 UTC 
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
Comment 9 Fedora Update System 2017-08-20 18:28:21 UTC 
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2017-09-02 20:48:52 UTC 
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.