Bug 1478587 - Bodhi: Javascript injection in detail view
Bodhi: Javascript injection in detail view
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bodhi (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Randy Barlow
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 17:18 EDT by Marcel
Modified: 2017-09-02 16:48 EDT (History)
4 users (show)

See Also:
Fixed In Version: bodhi-2.9.1-1.fc27 bodhi-2.9.1-1.fc26 bodhi-2.9.1-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-20 14:28:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github fedora-infra/bodhi/issues/1740 None None None 2017-08-10 11:54 EDT

  None (edit)
Description Marcel 2017-08-04 17:18:04 EDT
Description of problem:
It is possible to inject Javascript into the bodhi webclient.

Version-Release number of selected component (if applicable):
bodhi-2.8.1

How reproducible:
Always

Steps to Reproduce:
1. Open https://bodhi.fedoraproject.org/updates/FEDORA-2017-3c92db10b8
2. Go to tab "Bugs"

Actual results:
You'll see a bug "#1473091 should be optional"

Expected results:
"#1473091 <disk> <driver name=...> should be optional"

Additional info:
The bug summary in this view should be escaped, as the current behavior allows an attacker to create a bug with a summary like "<script src='...'>" and let visitors of bodhi load JS.
Comment 1 Patrick Uiterwijk 2017-08-10 10:29:58 EDT
This issue has been assigned CVE-2017-1002152.
Comment 2 Randy Barlow 2017-08-10 10:30:52 EDT
In order to take advantage of this, someone would need to set a Bugzilla subject field to text that contains JavaScript and get a packager to create an update that references that bug. Thus, it's more complex than simply typing the JS into Bugzilla's interface directly, and requires a user with elevated privileges (a packager) to perform an action. Certainly not impossible, but not simple either. Thanks for the report!
Comment 3 Randy Barlow 2017-08-10 11:54:13 EDT
Since this is filed publicly here, I have filed this upstream and we will track work on it there.
Comment 4 Jan Kurik 2017-08-15 02:37:57 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 5 Fedora Update System 2017-08-15 18:30:18 EDT
bodhi-2.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
Comment 6 Fedora Update System 2017-08-15 18:40:51 EDT
bodhi-2.9.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
Comment 7 Fedora Update System 2017-08-18 16:21:46 EDT
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
Comment 8 Fedora Update System 2017-08-19 14:52:06 EDT
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
Comment 9 Fedora Update System 2017-08-20 14:28:21 EDT
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2017-09-02 16:48:52 EDT
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.