Bug 947736 (CVE-2015-5966) - VUL-0: CVE-2015-5966: obs: webui: XSS in comments
Summary: VUL-0: CVE-2015-5966: obs: webui: XSS in comments
Status: RESOLVED FIXED
Alias: CVE-2015-5966
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Assignee: Hendrik Vogelsang
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-28 08:45 UTC by Marcus Meissner
Modified: 2017-03-22 16:10 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Proposed patch (653 bytes, patch)
2015-09-30 14:34 UTC, Hendrik Vogelsang 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-09-28 08:45:56 UTC 
From: Fabian <fvogt@suse.com>
To: Adrian =?ISO-8859-1?Q?Schr=F6ter?= <adrian@suse.de>
Date: Mon, 28 Sep 2015 10:14:29 +0200
Subject: [security@suse.de] XSS in the OBS Web UI

Hi,

it is possible to enter unsanitized HTML as comments in the Web-UI,
as an example you can visit https://build.suse.de/project/show/home:favogt:XSS-test
The comment is fairly trivial:
    <script>alert("Hi")</script>
    <iframe src="https://en.opensuse.org"></iframe>

This is IMO highly critical, as it is possible to take full control of a logged-in user
and even steal passwords if the browser stored them.
As any user with an account can comment on everything, including foreign home projects,
exploiting this vulnerability would yield a high success rate.

By adding a comment on "https://build.opensuse.org/project/show/openSUSE:Factory"
I could get maintainer of openSUSE:Factory should one of the maintainers visit the page.
By adding a comment on my submit requests, they would get accepted automatically...
If done correctly, something like this is very hard to notice, if at all.

I wonder why this hasn't been found before (or was it? Hopefully not).

Thanks,
Fabian
Comment 1 Victor Pereira 2015-09-28 10:32:54 UTC 
The problem is here https://github.com/openSUSE/open-build-service/blame/master/src/api/app/helpers/comment_helper.rb#L4

we are marking the string as safe.. however it isn't..
Comment 2 Swamp Workflow Management 2015-09-28 22:00:56 UTC 
bugbot adjusting priority
Comment 3 Victor Pereira 2015-09-29 08:53:55 UTC 
you should check all "html_safe" calls.. Looks like somebody got it wrong back in the days.. it actually doesn't make the html safe, in the opposite. It marks the html code as "safe" and therefore won't be escaped.. A quick search shows that its quite often used...
Comment 4 Hendrik Vogelsang 2015-09-30 09:26:09 UTC 
Disabled in production
Comment 5 Hendrik Vogelsang 2015-09-30 14:34:18 UTC 
Created attachment 649658 [details]
Proposed patch

Proposed patch. We think (2 team member independently) the other occurrences of html_safe are fine.
Comment 6 Hendrik Vogelsang 2015-09-30 14:35:21 UTC 
I'm currently working out how we are making releases as Adrian is on vacation until Monday. The patch is already deployed on both instances we control (OBS/IBS).
Comment 7 Fabian Vogt 2015-09-30 14:50:44 UTC 
Looks good to me, but I found out that it is not escaped in the "New comment in project" mail. That's not a big (security) issue though, just a minor inconsistency AFAICS.
Comment 8 Hendrik Vogelsang 2015-09-30 15:09:03 UTC 
It's a nice way to see that someone tried something :-)
Comment 9 Hendrik Vogelsang 2015-09-30 15:19:18 UTC 
I also don't find any comments in the DB anymore which of course doesn't mean that they where never in there. I'm going through the backups that we have now...
Comment 14 Andreas Stieger 2015-10-01 11:46:46 UTC 
Use CVE-2015-5966.
Comment 16 Andreas Stieger 2015-10-09 08:00:37 UTC 
Commits are pushed, release build is running.
Making public.
Comment 17 Andreas Stieger 2015-10-09 08:05:08 UTC 
Affected: 2.6.x <= 2.6.4, fixed in 2.6.5.
Affected: 2.5.x <= 2.5.7
Not affected: 2.4.x and earlier as they lack this comment function