Bug 1100313 - (CVE-2014-3491) CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://projects.theforeman.org/issues...
impact=moderate,public=20140618,repor...
: Security, Triaged
Depends On:
Blocks: 1130555
  Show dependency treegraph
 
Reported: 2014-05-22 09:56 EDT by Adam Saleh
Modified: 2015-01-29 21:41 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-29 21:41:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Saleh 2014-05-22 09:56:42 EDT
Description of problem:
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140520.2


How reproducible:
always


Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
     Name: test<script>alert('HI')</script>
     
   Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list


Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)


Expected results:
Submit button should not execute javascript
Comment 3 Dominic Cleal 2014-05-22 10:43:33 EDT
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881.

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources.  I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.
Comment 6 Kurt Seifried 2015-01-29 21:33:35 EST
This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream.
Comment 7 Kurt Seifried 2015-01-29 21:41:46 EST
his issue has been addressed in the following products:

  Red Hat Satellite 6

Via the GA release of Satellite 6.

Note You need to log in before you can comment on or make changes to this bug.