Bug #4456
closed
CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page
Description
Description
Any user who has a privilege to add bookmarks could exploit the cross site scripting vulnerability to expose other users' personal data by storing malicious scripts when adding bookmark. As the script is permanently stored, every time others access /bookmarks to view the bookmarks, they will be affected.
Severity: High
Affected URLs
http://$foreman/bookmarks
Steps
Add a bookmark with some script code(e.g. <script>alert('xss')</script>) set as its bookmark name
Access /bookmarks to view bookmarks
Result
The script will be executed.
Remedy advice
User inputs such as special characters must be validated, filtered or encoded before being returned as part of the HTML code of a page.
Reference
CWE-931 - http://cwe.mitre.org/data/definitions/931.html
Affects
Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.
Files
Updated by Dominic Cleal about 10 years ago
- Subject changed from Bookmark names are vulnerable to XSS to CVE-2014-0089 - Bookmark names are vulnerable to XSS
- Description updated (diff)
Updated by Dominic Cleal about 10 years ago
Unreviewed v1 patch from Joseph.
Updated by Greg Sutcliffe about 10 years ago
I can't replicate this. A bookmark with the example code as name displays correctly on my bookmarks page, performs the search if selected on the Hosts page, and does not trigger the script when loaded - this is true both for admin and a normal user (with view_bookmarks, as tested with Marek's new rbac pr applied). Using Firefox 27.0.
The DB seems to show that no character conversion has occurred during save:
sqlite> select * from bookmarks;
7|<script>alert('xss')</script>|foo|hosts|t|1|User
The HTML of the page confirms it's displaying them safely:
<td><a class=" disabled" disabled="disabled" href="#" onclick="; return false;"><script>alert('xss')</script></a></td>
Just for fun I applied the attached patch anyway, and confirmed the all same behaviour and results, so the patch doesn't change anything, as far as I can tell.
Updated by Ohad Levy about 10 years ago
the issue is really with the exception 500 page, as the exception is treated as html safe.
every other place that you can generate an exception based on input will have this issue.
@Greg Sutcliffe, I had no problem to replicate this, ping me if you like to go over it togther
Updated by Joseph Magen about 10 years ago
Greg, you must start the rails server in production mode to see the error.
Updated by Dominic Cleal about 10 years ago
- Subject changed from CVE-2014-0089 - Bookmark names are vulnerable to XSS to CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page
To clarify, as Ohad said, this is an issue on the 500 error page. The bookmark page is failing to render and find an appropriate route for the bookmark containing the script tag, triggering a 500 error (which is a minor/partial DoS in itself, but not CVE-worthy) and then the 500 error page is rendering the error without HTML escaping.
Updated by Dominic Cleal about 10 years ago
- Description updated (diff)
Affects Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.
Updated by Dominic Cleal about 10 years ago
- Related to Bug #4519: Renaming host with / in name causes "No route matches" error added
Updated by Dominic Cleal about 10 years ago
- Target version changed from 1.9.1 to 1.9.0
Updated by Dominic Cleal about 10 years ago
- Status changed from Assigned to Pending
ACK, patch v1 is good.
Updated by Joseph Magen about 10 years ago
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Applied in changeset 69e46d6d6eb230f3aa4236838999284dfffccb6e.