#8303 CVE-2019-10085: XSS on user autocomplete

v1.11.0
closed
None
General
nobody
2019-06-18
2019-06-10
No

Via security@apache.org report

...

3. Go to http://localhost:8080/auth/preferences/ and set
"<script>confirm(1)</script>" (without the quotes) as your Display Name
under Preferences / General Settings. Save.

4. As test-user, create a new Project. Let's assume the URL for the
project is http://localhost:8080/p/abc

5. For that Project, go to http://localhost:8080/p/abc/tickets/new/

6. In the Owner dropdown on the Create Ticket page, type the letter "s"

...

Discussion

  • Dave Brondsema

    Dave Brondsema - 2019-06-10

    Here is a fix that I have come up with. Not committing to master yet until other security steps are completed.

    diff --git Allura/allura/lib/widgets/resources/js/combobox.js Allura/allura/lib/widgets/resources/js/combobox.js
    index b36c3dfaa..782147620 100644
    --- Allura/allura/lib/widgets/resources/js/combobox.js
    +++ Allura/allura/lib/widgets/resources/js/combobox.js
    @@ -107,13 +107,19 @@
                       response(select.children('option').map(function() {
                         var text = $(this).text();
                         if (this.value && (!request.term || matcher.test(text))) {
    +                      var label = escape_html(text);
    +                      if (request.term) {
    +                        // highlight the matching chars with <strong>
    +                        label = label.replace(
    +                            new RegExp('(?![^&;]+;)(?!<[^<>]*)(' +
    +                                $.ui.autocomplete.escapeRegex(request.term) +
    +                                ')(?![^<>]*>)(?![^&;]+;)', 'gi'
    +                            ),
    +                            '<strong>$1</strong>'
    +                        );
    +                      }
                           return {
    -                        label: text.replace(
    -                                 new RegExp(
    -                                   '(?![^&;]+;)(?!<[^<>]*)(' +
    -                                   $.ui.autocomplete.escapeRegex(request.term) +
    -                                   ')(?![^<>]*>)(?![^&;]+;)', 'gi'
    -                                 ), '<strong>$1</strong>'),
    +                        label: label,
                             value: text,
                             option: this
                           };
    diff --git Allura/allura/public/nf/js/allura-base.js Allura/allura/public/nf/js/allura-base.js
    index ce813a9a2..6e5f876b5 100644
    --- Allura/allura/public/nf/js/allura-base.js
    +++ Allura/allura/public/nf/js/allura-base.js
    @@ -166,6 +166,10 @@ function get_cm($elem) {
         return $('.CodeMirror', $elem)[0].CodeMirror;
     }
    
    +function escape_html(str) {
    +    return $('<i></i>').text(str).html();
    +}
    +
     $(function(){
         $('html').removeClass('no-js').addClass('js');
    
     
  • Kenton Taylor

    Kenton Taylor - 2019-06-11

    This diff looks good to me, clear for merge.

     
  • Dave Brondsema

    Dave Brondsema - 2019-06-11
    • summary: XSS on user autocomplete --> CVE-2019-10085: XSS on user autocomplete
     
  • Dave Brondsema

    Dave Brondsema - 2019-06-13
    • status: open --> closed
    • assigned_to: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2019-06-13

    Committed to master.

     
  • Dave Brondsema

    Dave Brondsema - 2019-06-17
    • Milestone: unreleased --> v1.11.0
     
  • Dave Brondsema

    Dave Brondsema - 2019-06-18
    • private: Yes --> No
     

Log in to post a comment.