Red Hat Bugzilla – Bug 1478587
Bodhi: Javascript injection in detail view
Last modified: 2017-09-02 16:48:52 EDT
Description of problem: It is possible to inject Javascript into the bodhi webclient. Version-Release number of selected component (if applicable): bodhi-2.8.1 How reproducible: Always Steps to Reproduce: 1. Open https://bodhi.fedoraproject.org/updates/FEDORA-2017-3c92db10b8 2. Go to tab "Bugs" Actual results: You'll see a bug "#1473091 should be optional" Expected results: "#1473091 <disk> <driver name=...> should be optional" Additional info: The bug summary in this view should be escaped, as the current behavior allows an attacker to create a bug with a summary like "<script src='...'>" and let visitors of bodhi load JS.
This issue has been assigned CVE-2017-1002152.
In order to take advantage of this, someone would need to set a Bugzilla subject field to text that contains JavaScript and get a packager to create an update that references that bug. Thus, it's more complex than simply typing the JS into Bugzilla's interface directly, and requires a user with elevated privileges (a packager) to perform an action. Certainly not impossible, but not simple either. Thanks for the report!
Since this is filed publicly here, I have filed this upstream and we will track work on it there.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
bodhi-2.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
bodhi-2.9.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090
bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.