Persistent XSS in Metadata field

Bug #1597738 reported by Niklaus Schiess on 2016-06-30
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
manila-ui
Critical
Valeriy Ponomaryov

Bug Description

The Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. I guess the issue comes from a mark_safe() call on the user supplied metadata [1].

It should be noted that unprivileged users can exploit this vulnerability. This could lead to a privilege escalation by e.g. stealing session tokens of higher privileged users (e.g. admins).

Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload:

a=<script>alert("test")/*
b=*/<script>

As soon as the share is created, the payload reflects in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).

[1] https://github.com/openstack/manila-ui/blob/d5fe23e4ba30846acdd09fa1dc61a415016a7e26/manila_ui/dashboards/project/shares/shares/tabs.py#L49

CVE References

Changed in manila-ui:
status: New → Confirmed

Attached patch with fix to comment. Please, try it out.

Changed in manila-ui:
assignee: nobody → Valeriy Ponomaryov (vponomaryov)
importance: Undecided → Critical

Similar problem can be reproduced in admin dashboard with "share types" and extra specs for it.

^ Second patch consists of fixes for both places.

Changed in manila-ui:
status: Confirmed → In Progress
Ben Swartzlander (bswartz) wrote :

Looks fine to me

CVE-2016-6519 was assigned by MITRE.

For the next step, do you need help from SUSE with distributing this to vendors? If the source patch is done we can help with that, e.g. send it with an advisory to all distros under embargo so that it will appear everywhere somewhat on the same date.

Valery, we talked to our customer who's audit brought resulted in this security issue to life.

SUSE Security is keen to release a fix. To that end we would like to get to an agreement with you as the upstream PL as to how this can be handled. SUSE is happy to write an advisory and distribute it to the various stakeholders.

Please note that in the interest of responsible disclosure you should effect security responses in a reasonable amount of time. We would appreciate your reply by Monday 2016-08-15 08:00 UTC.

Ben Swartzlander (bswartz) wrote :

Go ahead and write the advisory.

Andreas,

I am not sure what do you mean by "upstream PL", but if you need some kind of my permission, then I completely ok if this fix is distributed to the various stakeholders before disclosure. And I am definitely wrong person to decide about "how this can be handled". I confirmed bug and provided fix for it. That's all.

Also, I should inform you that I will be unavailable since 12th of August till 30th.

Draft advisory. Are you okay with this?
Proposing a coordinated release date of 2016-08-24 12:00 UTC

== draft ==

CVE-2016-6519: OpenStack manila-ui: Persistent XSS in Metadata field

It was discovered that the Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. The issue comes from a mark_safe() call on the user supplied metadata.

https://github.com/openstack/manila-ui/blob/d5fe23e4ba30846acdd09fa1dc61a415016a7e26/manila_ui/dashboards/project/shares/shares/tabs.py#L49

Remote, authenticated, but unprivileged users could exploit this vulnerability to escalate privileges by stealing session cookies.

Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload:

a=<script>alert("test")/*
b=*/<script>

As soon as the share is created, the payload is reflected in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).

The issue was discovered by Niklaus Schiess, the fix was provided by Valeriy Ponomaryov.

MITRE assigned CVE-2016-6519 to this issue.
The upstream bug is https://bugs.launchpad.net/manila-ui/+bug/1597738
The SUSE bug is https://bugzilla.suse.com/show_bug.cgi?id=988935
SUSE's evaluation has a CVSS base score 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

== draft ==

Thomas Bechtold (toabctl) wrote :

@bswartz: ping?

Ben Swartzlander (bswartz) wrote :

Yes I'm okay with this

Thomas Bechtold (toabctl) wrote :

New proposed a coordinated release date of 2016-09-07 12:00 UTC . @bswartz. Is that ok for you?

Ben Swartzlander (bswartz) wrote :

Yes that date is fine

Niklaus Schiess (n-schiess) wrote :

@toabctl Has the advisory been released on the proposed date?

This bug should be made public since it is documented and referenced on oss-sec.
Has the patch been submitted to gerrit yet ?

Once bug-report becomes public I will upload fixes to gerrit.

information type: Private Security → Public Security

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/378972

Changed in manila-ui:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/378557
Committed: https://git.openstack.org/cgit/openstack/manila-ui/commit/?id=fca19a1b0d42536644212c5d673fbd6866e67c43
Submitter: Jenkins
Branch: master

commit fca19a1b0d42536644212c5d673fbd6866e67c43
Author: Valeriy Ponomaryov <email address hidden>
Date: Thu Jun 30 20:19:22 2016 +0300

    Fix metadata_to_str function code injection vulnerability

    It is possible to inject HTML/JavaScript code into shares table
    member page setting metadata to shares and share types table admin page
    setting extra specs. So, escape HTML-specific symbols in output
    string of 'metadata_to_str' function to make it interpreted
    as string and not as code.

    Change-Id: Ied567e06d91941e9aaac7d3117e03cd1770fb75e
    Security-Fix
    Closes-Bug: #1597738

Reviewed: https://review.openstack.org/378972
Committed: https://git.openstack.org/cgit/openstack/manila-ui/commit/?id=eed69d6ac444c27981f7548c7e2fbc37e836c28d
Submitter: Jenkins
Branch: stable/newton

commit eed69d6ac444c27981f7548c7e2fbc37e836c28d
Author: Valeriy Ponomaryov <email address hidden>
Date: Thu Jun 30 20:19:22 2016 +0300

    Fix metadata_to_str function code injection vulnerability

    It is possible to inject HTML/JavaScript code into shares table
    member page setting metadata to shares and share types table admin page
    setting extra specs. So, escape HTML-specific symbols in output
    string of 'metadata_to_str' function to make it interpreted
    as string and not as code.

    Change-Id: Ied567e06d91941e9aaac7d3117e03cd1770fb75e
    Security-Fix
    Closes-Bug: #1597738
    (cherry picked from commit fca19a1b0d42536644212c5d673fbd6866e67c43)

tags: added: in-stable-newton

This issue was fixed in the openstack/manila-ui 2.5.1 release.

Reviewed: https://review.openstack.org/380017
Committed: https://git.openstack.org/cgit/openstack/manila-ui/commit/?id=89593686ef18f2bd06223b92071b4be2362a5abd
Submitter: Jenkins
Branch: stable/mitaka

commit 89593686ef18f2bd06223b92071b4be2362a5abd
Author: Valeriy Ponomaryov <email address hidden>
Date: Thu Jun 30 20:19:22 2016 +0300

    Fix metadata_to_str function code injection vulnerability

    It is possible to inject HTML/JavaScript code into shares table
    member page setting metadata to shares and share types table admin page
    setting extra specs. So, escape HTML-specific symbols in output
    string of 'metadata_to_str' function to make it interpreted
    as string and not as code.

    Depends-On: If83e66d4b2f0f1db181e7c23ac256c498566c2da
    Change-Id: Ied567e06d91941e9aaac7d3117e03cd1770fb75e
    Security-Fix
    Closes-Bug: #1597738
    (clean cherry pick of commit fca19a1b0d42536644212c5d673fbd6866e67c43)

tags: added: in-stable-mitaka

Reviewed: https://review.openstack.org/383585
Committed: https://git.openstack.org/cgit/openstack/manila-ui/commit/?id=009913d725bee34cef0bd62e47a298025ace2696
Submitter: Jenkins
Branch: stable/liberty

commit 009913d725bee34cef0bd62e47a298025ace2696
Author: Valeriy Ponomaryov <email address hidden>
Date: Thu Jun 30 20:19:22 2016 +0300

    Fix metadata_to_str function code injection vulnerability

    It is possible to inject HTML/JavaScript code into shares table
    member page setting metadata to shares and share types table admin page
    setting extra specs. So, escape HTML-specific symbols in output
    string of 'metadata_to_str' function to make it interpreted
    as string and not as code.

    Change-Id: Ied567e06d91941e9aaac7d3117e03cd1770fb75e
    Security-Fix
    Closes-Bug: #1597738
    (clean cherry pick of commit fca19a1b0d42536644212c5d673fbd6866e67c43)
    (cherry picked from commit 89593686ef18f2bd06223b92071b4be2362a5abd)

tags: added: in-stable-liberty

This issue was fixed in the openstack/manila-ui 2.5.1 release.

This issue was fixed in the openstack/manila-ui 2.6.0 release.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.