Bug 1478587 - Bodhi: Javascript injection in detail view
Bodhi: Javascript injection in detail view
Status: ON_QA
Product: Fedora
Classification: Fedora
Component: bodhi (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Randy Barlow
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 17:18 EDT by Marcel
Modified: 2017-08-19 14:52 EDT (History)
4 users (show)

See Also:
Fixed In Version: bodhi-2.9.1-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github fedora-infra/bodhi/issues/1740 None None None 2017-08-10 11:54 EDT

  None (edit)
Description Marcel 2017-08-04 17:18:04 EDT
Description of problem:
It is possible to inject Javascript into the bodhi webclient.

Version-Release number of selected component (if applicable):
bodhi-2.8.1

How reproducible:
Always

Steps to Reproduce:
1. Open https://bodhi.fedoraproject.org/updates/FEDORA-2017-3c92db10b8
2. Go to tab "Bugs"

Actual results:
You'll see a bug "#1473091 should be optional"

Expected results:
"#1473091 <disk> <driver name=...> should be optional"

Additional info:
The bug summary in this view should be escaped, as the current behavior allows an attacker to create a bug with a summary like "<script src='...'>" and let visitors of bodhi load JS.
Comment 1 Patrick Uiterwijk 2017-08-10 10:29:58 EDT
This issue has been assigned CVE-2017-1002152.
Comment 2 Randy Barlow 2017-08-10 10:30:52 EDT
In order to take advantage of this, someone would need to set a Bugzilla subject field to text that contains JavaScript and get a packager to create an update that references that bug. Thus, it's more complex than simply typing the JS into Bugzilla's interface directly, and requires a user with elevated privileges (a packager) to perform an action. Certainly not impossible, but not simple either. Thanks for the report!
Comment 3 Randy Barlow 2017-08-10 11:54:13 EDT
Since this is filed publicly here, I have filed this upstream and we will track work on it there.
Comment 4 Jan Kurik 2017-08-15 02:37:57 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 5 Fedora Update System 2017-08-15 18:30:18 EDT
bodhi-2.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
Comment 6 Fedora Update System 2017-08-15 18:40:51 EDT
bodhi-2.9.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
Comment 7 Fedora Update System 2017-08-18 16:21:46 EDT
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
Comment 8 Fedora Update System 2017-08-19 14:52:06 EDT
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090

Note You need to log in before you can comment on or make changes to this bug.