Bug 963568 - (CVE-2013-2101) CVE-2013-2101 Katello: Multiple XSS in various entities
CVE-2013-2101 Katello: Multiple XSS in various entities
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 963569 963572 995657
Blocks: 963573 1000138
  Show dependency treegraph
Reported: 2013-05-16 03:33 EDT by Kurt Seifried
Modified: 2015-01-19 02:35 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-17 00:34:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-05-16 03:33:38 EDT
Eric Helms (ehelms@redhat.com) reports:

I have identified a number of areas and entities within Katello that are vulnerable to a cross-site scripting attack.

Reproducible: Always

Steps to Reproduce:
1. Log in
2. Navigate to Changeset/Repository/System/Distributor/Filter
3. Create a new entity from above giving it the name <a href="http://www.google.com">Entity 1</a>
4. Submit
Actual Results:  
- Notification pops up saying success with a clickable link
- Users can navigate to 'Notices' page and see clickable link from successful creation of the entity
- If creating a Changeset, the changeset name will appear clickable inside the right hand list on the Changeset Management page

Expected Results:  
The name should appear fully escaped everywhere that it is used.

This is a two fold issue:

1. This issue is not present with some entities due to model validation on the backend that prevents the use of HTML <,>,/ characters.  The entities defined above in the steps do not have this validation on their name property.

2. There are a few places where user input is not escaped on output. These locations are:
 - notices displayed to the user are marked as html_safe to account for the application putting links for the user into some notices, this has the downside of presenting all notices unescaped to the user and opening this XSS hole
 - in some areas of the application, JavaScript is used to construct templates and concatenate user input data from the server, since this data is not escaped when input to the JavaScript, the result comes out with an XSS hole
Comment 4 Bryan Kearney 2014-06-30 12:27:50 EDT
There have been several fixes (outlined below) in this area. The majority of the entities (system_group_packages, system_group_errata, promotions, repositories, changesets, distributors, content_views) are not in SAM. I vote we CLOSE/WONFIX this.

commit e0eb37f7bbf9794587f959803f4e6f5f4ec070c7
Author: Adam Price <komidore64@gmail.com>
Date:   Wed Aug 28 17:26:37 2013 -0400

    1001173 - User notification message should escape html characters
    from custom info
    (cherry picked from commit ddb90f4666e86c8d80cf899eef88e41bbafed524)

added to the bug. This was added in 1.4.3-12

commit c38ed1e5e9c9914af463692692a51a8c0b8bb494
Author: Adam Price <komidore64@gmail.com>
Date:   Wed Jul 24 17:58:53 2013 -0400

    987909 - Org names rendered as HTML
    making sure ORG name is escaped if it has HTML characters in its name.
    this includes changes to jeditable's default text.content function and a
    quick substitution of characters in displayed notices

which was added in katello-1.4.3-1

commit 40e586f4f93a785166fac9590fbf1ff6723a0cc5
Author: Adam Price <komidore64@gmail.com>
Date:   Wed Jul 17 11:26:48 2013 -0400

    982196 - UI editing description
    override jeditable's textarea 'content' function to not escape text with
    <, >

which was added in katello-1.4.3-1

Note You need to log in before you can comment on or make changes to this bug.