A cross-site scripting (XSS) flaw was found in the way the 'System Details' => 'Details' => 'Custom Info' page of the Red Hat Network Satellite web interface sanitized value (the Description field) of the asset tag / key, assigned to the particular system, created via 'Custom System Info' page. An authenticated Red Hat Network Satellite user could use this flaw to execute arbitrary HTML or web script code via specially-crafted value for the asset 'Custom System Info' key. Acknowledgements: Red Hat would like to thank William Hoffmann for reporting this issue.
Proposed patch: --- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig 2010-09-10 18:04:52.000000000 -0400 +++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm 2011-11-22 05:00:23.807818164 -0500 @@ -219,6 +219,7 @@ foreach my $cv (@{$data}) { my %subs = (label => $cv->{KEY}, value => $cv->{VALUE}, key_id => $cv->{ID}); + PXT::Utils->escapeHTML_multi(\%subs); $ret .= PXT::Utils->perform_substitutions($params{__block__}, \%subs); }
However, this only addresses /network/systems/details/custominfo/index.pxt. The /network/systems/details/custominfo/edit.pxt needs to be addressed for input data like </textarea><script>alert(document.cookie)</script> For that, patch --- /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm.orig 2010-09-10 18:04:52.000000000 -0400 +++ /usr/share/perl5/vendor_perl/Sniglets/CustomInfo.pm 2011-11-22 05:06:07.926608675 -0500 @@ -136,7 +136,7 @@ $subs{value_created} = $data_ref->{CREATED} . " by " . PXT::Utils->escapeHTML($data_ref->{CREATED_BY}); $subs{value_modified} = $data_ref->{LAST_MODIFIED} . " by " . PXT::Utils->escapeHTML($data_ref->{LAST_MODIFIED_BY}); $subs{key_label} = PXT::Utils->escapeHTML($data_ref->{KEY}); - $subs{value} = $data_ref->{VALUE}; + $subs{value} = PXT::Utils->escapeHTML($data_ref->{VALUE}); } else { $server->set_custom_value(-user_id => $pxt->user->id, is also needed.
It should be noted that the latest Spacewalk (1.6 to be) has these WebUI pages rewritten from Perl to Java and it does not seem to suffer from the XSS issue. However, in Spacewalk, the special characters seem to be stripped, so for example <script>alert(document.cookie)</script> becomes scriptalertdocument.cookie/script upon save. We need to investigate and hopefully address this Spacewalk issue as well because traditionally, any character could be saved as custom info value.
The Spacewalk patches would be: diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp index 4189ced..058d1d5 100644 --- a/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp +++ b/java/code/webapp/WEB-INF/pages/systems/sdc/listcustomdata.jsp @@ -34,7 +34,7 @@ <tr> <th>${current.label}</th> <td width="50%"> - <pre>${current.value}</pre> + <pre><c:out value="${current.value}" /></pre> <a href="/rhn/systems/details/UpdateCustomData.do?sid=${system.id}&cikid=${current.cikid}"> <bean:message key="sdc.details.customdata.editvalue"/> </a> diff --git a/java/code/webapp/WEB-INF/struts-config.xml b/java/code/webapp/WEB-INF/struts-config.xml index 97ddfc0..ddb46f9 100644 --- a/java/code/webapp/WEB-INF/struts-config.xml +++ b/java/code/webapp/WEB-INF/struts-config.xml @@ -1128,6 +1128,7 @@ <form-property name="label" type="java.lang.String" /> <form-property name="description" type="java.lang.String" /> <form-property name="submitted" type="java.lang.Boolean" /> + <form-property name="no_scrub" type="java.lang.String" initial="description"/> </form-bean> <form-bean name="updateCustomDataForm" @@ -1136,6 +1137,7 @@ <form-property name="label" type="java.lang.String" /> <form-property name="value" type="java.lang.String" /> <form-property name="submitted" type="java.lang.Boolean" /> + <form-property name="no_scrub" type="java.lang.String" initial="value"/> </form-bean> <form-bean name="updateTaskSchedule"
The CVE identifier of CVE-2011-4346 has been assigned to this issue.
The preliminary embargo date for this issue has been set up to Wednesday, 2011-12-07.
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2011:1794 https://rhn.redhat.com/errata/RHSA-2011-1794.html