MaaS API is vulnerable to XSS

Bug #1251336 reported by Chris Glass on 2013-11-14
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Critical
Julian Edwards
1.2
Critical
Julian Edwards
1.4
Critical
Julian Edwards

Bug Description

The MaaS API is vulnerable to Cross site scripting attacks allowing an unprivileged user to steal admin sessions.

A potential attacker can execute arbitrary javascript code in the admin's browser (in the site's document.domain) should he manage to trick him/her into clicking a forged link.

Example:
The following link can be expanded to hijack the admin user's session:

"http://192.168.100.2/MAAS/api/1.0/nodes/?op=test<script>alert(document.domain)</script>balh"

Note: some browsers (like Chrome) sanitize the URL bar, and therefore an attacker would need to craft a form (to pass the "op" parameter as a POST parameter rather than a GET).

Demonstrating the POST version can be done with:
curl --data "op=<script>alert(document.domain)</script>" http://192.168.100.2/MAAS/api/1.0/nodes/

Suggestion:
1. Sanitizing all error returned to the user via the API as "not containing the characters '<' and '>'" (since the API should only return JSON).
2. Make all API URLs return "text/json" as their only content-type will further harden the application (since browsers won't even try to interpret code on non text/html pages).

Changed in maas:
status: New → Triaged
importance: Undecided → Critical
Changed in maas:
assignee: nobody → Julian Edwards (julian-edwards)
status: Triaged → In Progress
Julian Edwards (julian-edwards) wrote :

Contacted Seth Arnold about this - holding off landing until packages are landed in Ubuntu.

Seth Arnold (seth-arnold) wrote :

I'm afraid these patches may not be sufficient; I believe some (most?) browsers perform content introspection to determine if the server-supplied mime type is correct. If an attacker supplies some <html><script> tags in their input, a real browser may happily execute the script contents against the server's explicit demands.

If IE6 is the only browser this busted, I'm fine with this patch, but we should discover which browsers might ignore server-supplied mime types; we may need to manually escape special characters.

Thanks

On Friday 07 Feb 2014 21:37:32 Seth Arnold wrote:
> I'm afraid these patches may not be sufficient; I believe some (most?)
> browsers perform content introspection to determine if the server-
> supplied mime type is correct. If an attacker supplies some
> <html><script> tags in their input, a real browser may happily execute
> the script contents against the server's explicit demands.
>
> If IE6 is the only browser this busted, I'm fine with this patch, but we
> should discover which browsers might ignore server-supplied mime types;
> we may need to manually escape special characters.
>
> Thanks

This broke on Firefox and I have tested that the fix works.

Chromium was always fine and not broken. Go figure :)

If you can find a browser that it does not work on, then I am happy to fix it
by escaping.

Seth Arnold (seth-arnold) wrote :

Hooray, looks like even the usual suspect IE6 isn't stupid enough to ignore a server-supplied text/plain: http://msdn.microsoft.com/en-us/library/ms775147(v=vs.85).aspx

Thanks Julian

Julian Edwards (julian-edwards) wrote :

On Tuesday 11 Feb 2014 00:29:58 you wrote:
> Hooray, looks like even the usual suspect IE6 isn't stupid enough to
> ignore a server-supplied text/plain: http://msdn.microsoft.com/en-> us/library/ms775147(v=vs.85).aspx
>
> Thanks Julian

\o/

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1070

Seth Arnold (seth-arnold) wrote :

Ubuntu packages have been released. Thanks!

information type: Private Security → Public Security
Changed in maas:
status: In Progress → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers