Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1475303 - Text Injection possible
Summary: Text Injection possible
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
low
urgent
Target Milestone: GA
: 5.10.0
Assignee: Martin Povolny
QA Contact: Yadnyawalk Tale
URL:
Whiteboard: ui:flash_msg
: 1486665 (view as bug list)
Depends On:
Blocks: 1515355 1520669
TreeView+ depends on / blocked
 
Reported: 2017-07-26 12:15 UTC by Vatsal Parekh
Modified: 2019-02-07 23:02 UTC (History)
9 users (show)

Fixed In Version: 5.10.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1515355 1520669 (view as bug list)
Environment:
Last Closed: 2019-02-07 23:02:36 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0212 None None None 2019-02-07 23:02:47 UTC

Comment 2 Martin Povolny 2017-09-25 17:13:07 UTC
*** Bug 1486665 has been marked as a duplicate of this bug. ***

Comment 3 Martin Povolny 2017-10-16 12:53:47 UTC
> Perform some action and flash message is shown

Sorry, but my crystal ball is broken this week

I did perform some action but saw no flash msg.

I believe there's an issue as you describe it SOMEWHERE but...

Comment 4 Martin Povolny 2017-10-16 13:04:11 UTC
Actually I did find an example in the DUP of this issue:

> Description of problem:
> After creating a VM creation request, the flash message shown is sent as a URL 
> parameter, and can be easily edited, and be misused

> Version-Release number of selected component (if applicable):
> Version master.20170830023715_aa4dab9

> How reproducible:
> 100%

> Steps to Reproduce:
> 1.Submit a request for VM creation
> 2.See the flash message

> Actual results:
> Flash message in the URL url parameter

If would be helpful if you could help me get all the places that you have found into one BZ but with a description that I would be able to reproduce (as the one above).

Thx!

Comment 5 Martin Povolny 2017-10-16 14:16:43 UTC
fixing one such place:

https://github.com/ManageIQ/manageiq-ui-classic/pull/2408

Comment 6 Martin Povolny 2017-10-16 17:15:47 UTC
One more such place: 

https://github.com/ManageIQ/manageiq-ui-classic/pull/2412

All places are see are using a Rails function for the redirect, no javascript injection is possible, I don't consider this a security issue.

We can fix all the places as a "hardening" task but afaik this should not be a priority.

The two fixes in this PR can be considered a pattern to fix all the other places.

Comment 7 Vatsal Parekh 2017-10-17 18:15:23 UTC
(In reply to Martin Povolny from comment #4)
> Actually I did find an example in the DUP of this issue:
> 
> > Description of problem:
> > After creating a VM creation request, the flash message shown is sent as a URL 
> > parameter, and can be easily edited, and be misused
> 
> > Version-Release number of selected component (if applicable):
> > Version master.20170830023715_aa4dab9
> 
> > How reproducible:
> > 100%
> 
> > Steps to Reproduce:
> > 1.Submit a request for VM creation
> > 2.See the flash message
> 
> > Actual results:
> > Flash message in the URL url parameter
> 
> If would be helpful if you could help me get all the places that you have
> found into one BZ but with a description that I would be able to reproduce
> (as the one above).
> 
> Thx!

To list such places,
Places where we provision/order VMs, delete/modify them, in general I see almost all the flash messages passed in as a url parameter.

Comment 8 Martin Povolny 2017-10-26 10:11:58 UTC
> In general I see almost all the flash messages passed in as a url parameter.

I don't.

Comment 10 Vatsal Parekh 2017-11-06 11:06:10 UTC
I'm also not seeing them now, used to see them in previous builds.

Comment 11 Martin Povolny 2017-11-20 16:22:27 UTC
Ok, moving this to POST. Some places where fixed.

Once we have more places found we can create new BZs.

The pattern for the fix is pretty straightforward once you see the place.

Comment 16 Martin Povolny 2017-12-04 19:10:48 UTC
As I previously declared: If you show me such places, I can get it fixed.

Comment 20 Yadnyawalk Tale 2018-10-03 17:19:58 UTC
Fixed! Flash messages are now gone from several main feature pages (tested for GET URL parameters). I do understand this is something we can not fully mitigate and there are several internal parts of CFME which are still uses flash via GET.

As of now it is fixed in 5.10.0.17.20180927011235_1b5cf54.
Well done! Thank you!

Comment 21 errata-xmlrpc 2019-02-07 23:02:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212


Note You need to log in before you can comment on or make changes to this bug.