Bug 963568 (CVE-2013-2101) - CVE-2013-2101 Katello: Multiple XSS in various entities
Summary: CVE-2013-2101 Katello: Multiple XSS in various entities
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2101
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 963569 963572 995657
Blocks: 963573 1000138
TreeView+ depends on / blocked
 
Reported: 2013-05-16 07:33 UTC by Kurt Seifried
Modified: 2019-09-29 13:04 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-01-17 05:34:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2013-05-16 07:33:38 UTC 
Eric Helms (ehelms) reports:

I have identified a number of areas and entities within Katello that are vulnerable to a cross-site scripting attack.

Reproducible: Always

Steps to Reproduce:
1. Log in
2. Navigate to Changeset/Repository/System/Distributor/Filter
3. Create a new entity from above giving it the name <a href="http://www.google.com">Entity 1</a>
4. Submit
Actual Results:  
- Notification pops up saying success with a clickable link
- Users can navigate to 'Notices' page and see clickable link from successful creation of the entity
- If creating a Changeset, the changeset name will appear clickable inside the right hand list on the Changeset Management page

Expected Results:  
The name should appear fully escaped everywhere that it is used.

This is a two fold issue:

1. This issue is not present with some entities due to model validation on the backend that prevents the use of HTML <,>,/ characters.  The entities defined above in the steps do not have this validation on their name property.

2. There are a few places where user input is not escaped on output. These locations are:
 - notices displayed to the user are marked as html_safe to account for the application putting links for the user into some notices, this has the downside of presenting all notices unescaped to the user and opening this XSS hole
 - in some areas of the application, JavaScript is used to construct templates and concatenate user input data from the server, since this data is not escaped when input to the JavaScript, the result comes out with an XSS hole
Comment 4 Bryan Kearney 2014-06-30 16:27:50 UTC 
There have been several fixes (outlined below) in this area. The majority of the entities (system_group_packages, system_group_errata, promotions, repositories, changesets, distributors, content_views) are not in SAM. I vote we CLOSE/WONFIX this.


commit e0eb37f7bbf9794587f959803f4e6f5f4ec070c7
Author: Adam Price <komidore64>
Date:   Wed Aug 28 17:26:37 2013 -0400

    1001173 - User notification message should escape html characters
    from custom info
    (cherry picked from commit ddb90f4666e86c8d80cf899eef88e41bbafed524)


added to the bug. This was added in 1.4.3-12

commit c38ed1e5e9c9914af463692692a51a8c0b8bb494
Author: Adam Price <komidore64>
Date:   Wed Jul 24 17:58:53 2013 -0400

    987909 - Org names rendered as HTML
    
    making sure ORG name is escaped if it has HTML characters in its name.
    
    this includes changes to jeditable's default text.content function and a
    quick substitution of characters in displayed notices

which was added in katello-1.4.3-1

commit 40e586f4f93a785166fac9590fbf1ff6723a0cc5
Author: Adam Price <komidore64>
Date:   Wed Jul 17 11:26:48 2013 -0400

    982196 - UI editing description
    
    override jeditable's textarea 'content' function to not escape text with
    <, >

which was added in katello-1.4.3-1
Note You need to log in before you can comment on or make changes to this bug.