|
Date: Fri, 06 Jun 2014 16:07:47 -0400 From: Stephen Gallagher <sgallagh@...hat.com> To: oss-security@...ts.openwall.com Subject: Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 == XSS Vulnerability in Djblets json_dumps() == Description of problem: Django's JSON serialization does not handle escaping of any characters to make them safe for injecting into HTML. This allows an attacker who can provide part of a JSON-serializable object to craft a string that can break out of a <script> tag and create its own, injecting a custom script. To fix this, we escape '<', '>', and '&' characters in the resulting string, preventing a </script> from executing. Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 How reproducible: Every time Steps to Reproduce: 1. User can change their display name to "</script><script> alert(1)</script>" 2. Browse a page where this user was the submitter Actual results: Script is executed Expected results: User's name should be sanitized Additional info: Issue is public, due to it having been reported on upstream's public bug tracker. Upstream bug report: https://code.google.com/p/reviewboard/issues/detail?id=3406 Upstream patch: Djblets 0.7.x: https://reviews.reviewboard.org/r/5944/diff Djblets 0.8.x: https://reviews.reviewboard.org/r/5945/diff I do not yet have the real name of the reporter to credit. == XSS Vulnerability in Djblets gravatar templates == Description of problem: The generated gravatar HTML wasn't handling escaping of the display name of the user, allowing an attacker to choose a name that would close out the <img> tag and inject a <script> tag. By switching to Django's format_html(), we can guarantee safe escaping of content. Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 How reproducible: Every time Steps to Reproduce: 1. User can change their display name to "</script><script> alert(1)</script>" 2. Configure this user for a Gravatar image 3. Browse to any page displaying the gravatar image Actual results: The script executes Expected results: The username should be properly sanitized and prevent XSS execution. Additional info: Issue is public now as the fix has now been committed to upstream git. Credit for the discovery of this vulnerability should be given to Christian Hammond of Bean Bag, Inc. (author of Review Board). This issue is present in the python-djblets package on Fedora 19, 20, Rawhide and EPEL 6 (EPEL 7 has not yet had a successful build). Upstream patch: Djblets 0.7.x: https://reviews.reviewboard.org/r/5947/diff/ Djblets 0.8.x: https://reviews.reviewboard.org/r/5946/diff/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOSH5MACgkQeiVVYja6o6MN/gCfQKsY5cvuApPtGhX1BomvapN3 UEEAoJ3a1r3Q+uQnMXid/E/+0LeHN9uX =c6fl -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.