A number of XSS flaws were reported in Cumin. These flaws could be used by a remote attacker to inject arbitrary web script on a web page displayed by Cumin. To solve the problem, xml_escape() (as defined in wooly/python/wooly/util.py, a simple wrapper around xml.sax.saxutils.escape()) is called on any values that are displayed on a web page and originate outside of Cumin, or through a form submitted by a user. Many of these have been corrected upstream in r5238 [1]. [1] https://fedorahosted.org/pipermail/cumin-developers/2012-March/000796.html
Created attachment 571986 [details] Technical write up on vulnerabilities, fixes, and testing Slightly different than the original version, but only because I changed the integers used in alert scripts to be unique so that when they are run it is unambiguous which one is displaying. This might be helpful when testing Cumin for the presences of errors.
Created attachment 571987 [details] Quota config, referenced from the pdf
Created attachment 571988 [details] Aviary submit script, referenced from the pdf
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0477 https://rhn.redhat.com/errata/RHSA-2012-0477.html
This issue has been addressed in following products: MRG for RHEL-5 v. 2 Via RHSA-2012:0476 https://rhn.redhat.com/errata/RHSA-2012-0476.html
Created cumin tracking bugs for this issue Affects: fedora-all [bug 812066]
Current Fedora ships cumin-0.1.5522 which is based on upstream svn r5522 and includes this fix.