Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Jun 2014 16:07:47 -0400
From: Stephen Gallagher <sgallagh@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Requesting CVEs issued for two XSS vulnerabilities in Djblets (a
 set of Django helpers)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

== XSS Vulnerability in Djblets json_dumps() ==
Description of problem:

Django's JSON serialization does not handle escaping of any characters
to make them safe for injecting into HTML. This allows an attacker who
can provide part of a JSON-serializable object to craft a string that
can break out of a <script> tag and create its own, injecting a custom
script.

To fix this, we escape '<', '>', and '&' characters in the resulting
string, preventing a </script> from executing.

Version-Release number of selected component (if applicable):
python-djblets-0.8.2-1.fc21
python-djblets-0.7.29-1.fc20

How reproducible:
Every time


Steps to Reproduce:
1. User can change their display name to "</script><script>
alert(1)</script>"
2. Browse a page where this user was the submitter

Actual results:
Script is executed

Expected results:
User's name should be sanitized

Additional info:
Issue is public, due to it having been reported on upstream's public
bug tracker.

Upstream bug report:
https://code.google.com/p/reviewboard/issues/detail?id=3406

Upstream patch:
Djblets 0.7.x: https://reviews.reviewboard.org/r/5944/diff
Djblets 0.8.x: https://reviews.reviewboard.org/r/5945/diff

I do not yet have the real name of the reporter to credit.




== XSS Vulnerability in Djblets gravatar templates ==
Description of problem:
The generated gravatar HTML wasn't handling escaping of the display name
of the user, allowing an attacker to choose a name that would close out
the <img> tag and inject a <script> tag.

By switching to Django's format_html(), we can guarantee safe escaping
of content.

Version-Release number of selected component (if applicable):
python-djblets-0.8.2-1.fc21
python-djblets-0.7.29-1.fc20

How reproducible:
Every time

Steps to Reproduce:
1. User can change their display name to "</script><script>
alert(1)</script>"
2. Configure this user for a Gravatar image
3. Browse to any page displaying the gravatar image

Actual results:
The script executes

Expected results:
The username should be properly sanitized and prevent XSS execution.

Additional info:
Issue is public now as the fix has now been committed to upstream git.

Credit for the discovery of this vulnerability should be given to
Christian Hammond of Bean Bag, Inc. (author of Review Board).

This issue is present in the python-djblets package on Fedora 19, 20,
Rawhide and EPEL 6 (EPEL 7 has not yet had a successful build).

Upstream patch:
Djblets 0.7.x: https://reviews.reviewboard.org/r/5947/diff/
Djblets 0.8.x: https://reviews.reviewboard.org/r/5946/diff/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlOSH5MACgkQeiVVYja6o6MN/gCfQKsY5cvuApPtGhX1BomvapN3
UEEAoJ3a1r3Q+uQnMXid/E/+0LeHN9uX
=c6fl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.