Proposed patch:

--- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig	2010-09-10 18:04:52.000000000 -0400
+++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm	2011-11-22 05:00:23.807818164 -0500
@@ -219,6 +219,7 @@
   foreach my $cv (@{$data}) {
 
     my %subs = (label => $cv->{KEY}, value => $cv->{VALUE}, key_id => $cv->{ID});
+    PXT::Utils->escapeHTML_multi(\%subs);
     $ret .= PXT::Utils->perform_substitutions($params{__block__}, \%subs);
   }

However, this only addresses /network/systems/details/custominfo/index.pxt.

The /network/systems/details/custominfo/edit.pxt needs to be addressed for input data like

   </textarea><script>alert(document.cookie)</script>

For that, patch

--- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig	2010-09-10 18:04:52.000000000 -0400
+++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm	2011-11-22 05:06:07.926608675 -0500
@@ -136,7 +136,7 @@
     $subs{value_created} = $data_ref->{CREATED} . " by " . PXT::Utils->escapeHTML($data_ref->{CREATED_BY});
     $subs{value_modified} = $data_ref->{LAST_MODIFIED} . " by " . PXT::Utils->escapeHTML($data_ref->{LAST_MODIFIED_BY});
     $subs{key_label} = PXT::Utils->escapeHTML($data_ref->{KEY});
-    $subs{value} = $data_ref->{VALUE};
+    $subs{value} = PXT::Utils->escapeHTML($data_ref->{VALUE});
   }
   else {
     $server->set_custom_value(-user_id => $pxt->user->id,

is also needed.

It should be noted that the latest Spacewalk (1.6 to be) has these WebUI pages rewritten from Perl to Java and it does not seem to suffer from the XSS issue. However, in Spacewalk, the special characters seem to be stripped, so for example

    <script>alert(document.cookie)</script>

becomes

    scriptalertdocument.cookie/script

upon save. We need to investigate and hopefully address this Spacewalk issue as well because traditionally, any character could be saved as custom info value.

The Spacewalk patches would be:

diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
index 4189ced..058d1d5 100644
--- a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
+++ b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
@@ -34,7 +34,7 @@
             <tr>
               <th>${current.label}</th>
               <td width="50%">
-                <pre>${current.value}</pre>
+                <pre><c:out value="${current.value}" /></pre>
                 <a href="/rhn/systems/details/UpdateCustomData.do?sid=${system.id}&cikid=${current.cikid}">
                   <bean:message key="sdc.details.customdata.editvalue"/>
                 </a>
diff --git a/java/code/webapp/WEB-INF/struts-config.xml b/java/code/webapp/WEB-INF/struts-config.xml
index 97ddfc0..ddb46f9 100644
--- a/java/code/webapp/WEB-INF/struts-config.xml
+++ b/java/code/webapp/WEB-INF/struts-config.xml
@@ -1128,6 +1128,7 @@
       <form-property name="label" type="java.lang.String" />
       <form-property name="description" type="java.lang.String" />
       <form-property name="submitted" type="java.lang.Boolean" />
+      <form-property name="no_scrub" type="java.lang.String" initial="description"/>
     </form-bean>
 
     <form-bean name="updateCustomDataForm"
@@ -1136,6 +1137,7 @@
       <form-property name="label" type="java.lang.String" />
       <form-property name="value" type="java.lang.String" />
       <form-property name="submitted" type="java.lang.Boolean" />
+      <form-property name="no_scrub" type="java.lang.String" initial="value"/>
     </form-bean>
 
     <form-bean name="updateTaskSchedule"

The CVE identifier of CVE-2011-4346 has been assigned to this issue.

The preliminary embargo date for this issue has been set up to Wednesday, 2011-12-07.

This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:1794 https://rhn.redhat.com/errata/RHSA-2011-1794.html