Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 15 Sep 2016 14:42:44 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: ben@...rtzlander.org
Subject: CVE-2016-6519: openstack-manila: Persistent XSS in Metadata field

Hi,

One of SUSE customers has found Persistent XSS in Metadata field in Openstack Manila.

Openstack Manila is currently not covered by the Openstack Security Team, so they
defered announcement to us.

------------------------------------

CVE-2016-6519: OpenStack manila-ui: Persistent XSS in Metadata field

It was discovered that the Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. The issue comes from a mark_safe() call on the user supplied metadata.

https://github.com/openstack/manila-ui/blob/d5fe23e4ba30846acdd09fa1dc61a415016a7e26/manila_ui/dashboards/project/shares/shares/tabs.py#L49

Remote, authenticated, but unprivileged users could exploit this vulnerability to escalate privileges by stealing session cookies.

Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload:

a=<script>alert("test")/*
b=*/<script>

As soon as the share is created, the payload is reflected in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).

The issue was discovered by Niklaus Schiess, the fix was provided Valeriy Ponomaryov.

MITRE assigned CVE-2016-6519 to this issue.
The upstream bug is https://bugs.launchpad.net/manila-ui/+bug/1597738
The SUSE bug is https://bugzilla.suse.com/show_bug.cgi?id=988935
SUSE's evaluation has a CVSS base score 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

-----------------------------------

The proposed upstream fix is attached.

Ciao, Marcus

View attachment "fix_v2_for_bug_1597738_stable_mitaka_and_liberty.txt" of type "text/plain" (8139 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.