Bug 1100313 (CVE-2014-3491) - CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Summary: CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-3491
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://projects.theforeman.org/issues...
Whiteboard: impact=moderate,public=20140618,repor...
Keywords: Security, Triaged
Depends On:
Blocks: 1130555
TreeView+ depends on / blocked
 
Reported: 2014-05-22 13:56 UTC by Adam Saleh
Modified: 2019-06-08 20:03 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-01-30 02:41:46 UTC


Attachments (Terms of Use)

Description Adam Saleh 2014-05-22 13:56:42 UTC
Description of problem:
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140520.2


How reproducible:
always


Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
     Name: test<script>alert('HI')</script>
     
   Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list


Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)


Expected results:
Submit button should not execute javascript

Comment 3 Dominic Cleal 2014-05-22 14:43:33 UTC
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881.

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources.  I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.

Comment 6 Kurt Seifried 2015-01-30 02:33:35 UTC
This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream.

Comment 7 Kurt Seifried 2015-01-30 02:41:46 UTC
his issue has been addressed in the following products:

  Red Hat Satellite 6

Via the GA release of Satellite 6.


Note You need to log in before you can comment on or make changes to this bug.