#8303 CVE-2019-10085: XSS on user autocomplete

v1.11.0
closed
Dave Brondsema
None
General
nobody
2019-06-18
2019-06-10
Dave Brondsema
No

Via security@apache.org report

...

3. Go to http://localhost:8080/auth/preferences/ and set
"<script>confirm(1)</script>" (without the quotes) as your Display Name
under Preferences / General Settings. Save.

4. As test-user, create a new Project. Let's assume the URL for the
project is http://localhost:8080/p/abc

5. For that Project, go to http://localhost:8080/p/abc/tickets/new/

6. In the Owner dropdown on the Create Ticket page, type the letter "s"

...

Discussion

  • Dave Brondsema

    Dave Brondsema - 2019-06-10

    Here is a fix that I have come up with. Not committing to master yet until other security steps are completed.

    diff --git Allura/allura/lib/widgets/resources/js/combobox.js Allura/allura/lib/widgets/resources/js/combobox.js
index b36c3dfaa..782147620 100644
--- Allura/allura/lib/widgets/resources/js/combobox.js
+++ Allura/allura/lib/widgets/resources/js/combobox.js
@@ -107,13 +107,19 @@
                   response(select.children('option').map(function() {
                     var text = $(this).text();
                     if (this.value && (!request.term || matcher.test(text))) {
+                      var label = escape_html(text);
+                      if (request.term) {
+                        // highlight the matching chars with <strong>
+                        label = label.replace(
+                            new RegExp('(?![^&;]+;)(?!<[^<>]*)(' +
+                                $.ui.autocomplete.escapeRegex(request.term) +
+                                ')(?![^<>]*>)(?![^&;]+;)', 'gi'
+                            ),
+                            '<strong>$1</strong>'
+                        );
+                      }
                       return {
-                        label: text.replace(
-                                 new RegExp(
-                                   '(?![^&;]+;)(?!<[^<>]*)(' +
-                                   $.ui.autocomplete.escapeRegex(request.term) +
-                                   ')(?![^<>]*>)(?![^&;]+;)', 'gi'
-                                 ), '<strong>$1</strong>'),
+                        label: label,
                         value: text,
                         option: this
                       };
diff --git Allura/allura/public/nf/js/allura-base.js Allura/allura/public/nf/js/allura-base.js
index ce813a9a2..6e5f876b5 100644
--- Allura/allura/public/nf/js/allura-base.js
+++ Allura/allura/public/nf/js/allura-base.js
@@ -166,6 +166,10 @@ function get_cm($elem) {
     return $('.CodeMirror', $elem)[0].CodeMirror;
 }

+function escape_html(str) {
+    return $('<i></i>').text(str).html();
+}
+
 $(function(){
     $('html').removeClass('no-js').addClass('js');
     

  • Kenton Taylor - 2019-06-11

    This diff looks good to me, clear for merge.

     

  • Dave Brondsema

    Dave Brondsema - 2019-06-11
    • summary: XSS on user autocomplete --> CVE-2019-10085: XSS on user autocomplete
     

  • Dave Brondsema

    Dave Brondsema - 2019-06-13
    • status: open --> closed
    • assigned_to: Dave Brondsema
     

  • Dave Brondsema

    Dave Brondsema - 2019-06-13

    Committed to master.

     

  • Dave Brondsema

    Dave Brondsema - 2019-06-17
    • Milestone: unreleased --> v1.11.0
     

  • Dave Brondsema

    Dave Brondsema - 2019-06-18
    • private: Yes --> No
     

Log in to post a comment.