2165626 – PT: OSD: Content Spoofing Flaw

Bug 2165626 - PT: OSD: Content Spoofing Flaw

Summary: PT: OSD: Content Spoofing Flaw

Keywords:
Status:	NEW
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2155344
TreeView+	depends on / blocked

Reported:	2023-01-30 15:40 UTC by juneau
Modified:	2023-07-07 08:33 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description juneau 2023-01-30 15:40:05 UTC

Content Spoofing in https://54.177.115.56:6443/

Synopsis
Content Spoofing (also known as Content Injection) is one of the common web security
vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual
content on the web page. The user might use the security loopholes in the website to inject the
content that he/she wishes to the target website. When an application does not properly handle
user supplied data, an attacker can supply content to a web application, typically via a
parameter value, that is reflected back to the user.

Openshift at 54.177.115.56:6443 is prone to text Injection, a subcategory of content spoofing in
which the user is able to inject only plain text into the page. In other words, it is not possible to
inject executable JavaScript content, shell commands or HTML content. The user in majority of
the cases might just be able to change some of the text content that is already on the website.
In this particular case, the actual content that is to be displayed on the UI, is passed via request
parameters. which can be modified by the user.

Note You need to log in before you can comment on or make changes to this bug.