Bug 742050 (CVE-2011-4346) - CVE-2011-4346 satellite: XSS flaw in custom system information key handling
Summary: CVE-2011-4346 satellite: XSS flaw in custom system information key handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4346
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 756768
Blocks: 622406 756765
TreeView+ depends on / blocked
 
Reported: 2011-09-28 21:11 UTC by Vincent Danen
Modified: 2023-05-11 18:08 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-07 19:27:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1794 0 normal SHIPPED_LIVE Moderate: Red Hat Network Satellite server security update 2011-12-08 00:12:09 UTC

Description Vincent Danen 2011-09-28 21:11:22 UTC 
A cross-site scripting (XSS) flaw was found in the way the 'System Details' => 'Details' => 'Custom Info' page of the Red Hat Network Satellite web interface sanitized value (the Description field) of the asset tag / key, assigned to the particular system, created via 'Custom System Info' page. An authenticated Red Hat Network Satellite user could use this flaw to execute arbitrary HTML or web script code via specially-crafted value for the asset 'Custom System Info' key.

Acknowledgements:

Red Hat would like to thank William Hoffmann for reporting this issue.
Comment 11 Jan Pazdziora 2011-11-22 10:02:41 UTC 
Proposed patch:

--- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig	2010-09-10 18:04:52.000000000 -0400
+++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm	2011-11-22 05:00:23.807818164 -0500
@@ -219,6 +219,7 @@
   foreach my $cv (@{$data}) {
 
     my %subs = (label => $cv->{KEY}, value => $cv->{VALUE}, key_id => $cv->{ID});
+    PXT::Utils->escapeHTML_multi(\%subs);
     $ret .= PXT::Utils->perform_substitutions($params{__block__}, \%subs);
   }
Comment 12 Jan Pazdziora 2011-11-22 10:08:30 UTC 
However, this only addresses /network/systems/details/custominfo/index.pxt.

The /network/systems/details/custominfo/edit.pxt needs to be addressed for input data like

   </textarea><script>alert(document.cookie)</script>

For that, patch

--- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig	2010-09-10 18:04:52.000000000 -0400
+++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm	2011-11-22 05:06:07.926608675 -0500
@@ -136,7 +136,7 @@
     $subs{value_created} = $data_ref->{CREATED} . " by " . PXT::Utils->escapeHTML($data_ref->{CREATED_BY});
     $subs{value_modified} = $data_ref->{LAST_MODIFIED} . " by " . PXT::Utils->escapeHTML($data_ref->{LAST_MODIFIED_BY});
     $subs{key_label} = PXT::Utils->escapeHTML($data_ref->{KEY});
-    $subs{value} = $data_ref->{VALUE};
+    $subs{value} = PXT::Utils->escapeHTML($data_ref->{VALUE});
   }
   else {
     $server->set_custom_value(-user_id => $pxt->user->id,

is also needed.
Comment 13 Jan Pazdziora 2011-11-22 10:10:36 UTC 
It should be noted that the latest Spacewalk (1.6 to be) has these WebUI pages rewritten from Perl to Java and it does not seem to suffer from the XSS issue. However, in Spacewalk, the special characters seem to be stripped, so for example

    <script>alert(document.cookie)</script>

becomes

    scriptalertdocument.cookie/script

upon save. We need to investigate and hopefully address this Spacewalk issue as well because traditionally, any character could be saved as custom info value.
Comment 14 Jan Pazdziora 2011-11-22 15:02:11 UTC 
The Spacewalk patches would be:

diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
index 4189ced..058d1d5 100644
--- a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
+++ b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp
@@ -34,7 +34,7 @@
             <tr>
               <th>${current.label}</th>
               <td width="50%">
-                <pre>${current.value}</pre>
+                <pre><c:out value="${current.value}" /></pre>
                 <a href="/rhn/systems/details/UpdateCustomData.do?sid=${system.id}&cikid=${current.cikid}">
                   <bean:message key="sdc.details.customdata.editvalue"/>
                 </a>
diff --git a/java/code/webapp/WEB-INF/struts-config.xml b/java/code/webapp/WEB-INF/struts-config.xml
index 97ddfc0..ddb46f9 100644
--- a/java/code/webapp/WEB-INF/struts-config.xml
+++ b/java/code/webapp/WEB-INF/struts-config.xml
@@ -1128,6 +1128,7 @@
       <form-property name="label" type="java.lang.String" />
       <form-property name="description" type="java.lang.String" />
       <form-property name="submitted" type="java.lang.Boolean" />
+      <form-property name="no_scrub" type="java.lang.String" initial="description"/>
     </form-bean>
 
     <form-bean name="updateCustomDataForm"
@@ -1136,6 +1137,7 @@
       <form-property name="label" type="java.lang.String" />
       <form-property name="value" type="java.lang.String" />
       <form-property name="submitted" type="java.lang.Boolean" />
+      <form-property name="no_scrub" type="java.lang.String" initial="value"/>
     </form-bean>
 
     <form-bean name="updateTaskSchedule"
Comment 16 Jan Lieskovsky 2011-11-24 13:40:02 UTC 
The CVE identifier of CVE-2011-4346 has been assigned to this issue.
Comment 19 Jan Lieskovsky 2011-11-24 15:10:09 UTC 
The preliminary embargo date for this issue has been set up to Wednesday, 2011-12-07.
Comment 20 errata-xmlrpc 2011-12-07 19:15:08 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:1794 https://rhn.redhat.com/errata/RHSA-2011-1794.html
Note You need to log in before you can comment on or make changes to this bug.