MAAS

MaaS API is vulnerable to XSS

Bug #1251336 reported by Chris Glass on 2013-11-14

264

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	Critical	Julian Edwards
	1.2	Fix Released	Critical	Julian Edwards
	1.4	Fix Released	Critical	Julian Edwards

Bug Description

The MaaS API is vulnerable to Cross site scripting attacks allowing an unprivileged user to steal admin sessions.

A potential attacker can execute arbitrary javascript code in the admin's browser (in the site's document.domain) should he manage to trick him/her into clicking a forged link.

Example:
The following link can be expanded to hijack the admin user's session:

"http://192.168.100.2/MAAS/api/1.0/nodes/?op=test<script>alert(document.domain)</script>balh"

Note: some browsers (like Chrome) sanitize the URL bar, and therefore an attacker would need to craft a form (to pass the "op" parameter as a POST parameter rather than a GET).

Demonstrating the POST version can be done with:
curl --data "op=<script>alert(document.domain)</script>" http://192.168.100.2/MAAS/api/1.0/nodes/

Suggestion:
1. Sanitizing all error returned to the user via the API as "not containing the characters '<' and '>'" (since the API should only return JSON).
2. Make all API URLs return "text/json" as their only content-type will further harden the application (since browsers won't even try to interpret code on non text/html pages).

Tags:

Related branches

lp:~julian-edwards/maas/xss-bug-1251336

Merged into lp:~maas-committers/maas/trunk at revision 1946

Raphaël Badin (community): Approve on 2014-02-05

lp:~julian-edwards/maas/1.2-xss-bug-1251336

Merged into lp:maas/1.2 at revision 1387

Julian Edwards (community): Approve on 2014-02-06

lp:~julian-edwards/maas/1.4-xss-bug-1251336

Merged into lp:maas/1.4 at revision 1717

Julian Edwards (community): Approve on 2014-02-06

lp:ubuntu/precise-security/maas

lp:ubuntu/quantal-security/maas

lp:ubuntu/saucy-security/maas

lp:ubuntu/quantal-updates/maas

CVE References

2013-1070

Julian Edwards (julian-edwards) on 2013-11-15

Changed in maas:
status:	New → Triaged
importance:	Undecided → Critical

Julian Edwards (julian-edwards) on 2014-02-05

Changed in maas:
assignee:	nobody → Julian Edwards (julian-edwards)
status:	Triaged → In Progress

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-02-06:

#2

Contacted Seth Arnold about this - holding off landing until packages are landed in Ubuntu.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-02-07:

#3

I'm afraid these patches may not be sufficient; I believe some (most?) browsers perform content introspection to determine if the server-supplied mime type is correct. If an attacker supplies some <html><script> tags in their input, a real browser may happily execute the script contents against the server's explicit demands.

If IE6 is the only browser this busted, I'm fine with this patch, but we should discover which browsers might ignore server-supplied mime types; we may need to manually escape special characters.

Thanks

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-02-07: Re: [Bug 1251336] Re: MaaS API is vulnerable to XSS

#4

On Friday 07 Feb 2014 21:37:32 Seth Arnold wrote:
> I'm afraid these patches may not be sufficient; I believe some (most?)
> browsers perform content introspection to determine if the server-
> supplied mime type is correct. If an attacker supplies some
> <html><script> tags in their input, a real browser may happily execute
> the script contents against the server's explicit demands.
>
> If IE6 is the only browser this busted, I'm fine with this patch, but we
> should discover which browsers might ignore server-supplied mime types;
> we may need to manually escape special characters.
>
> Thanks

This broke on Firefox and I have tested that the fix works.

Chromium was always fine and not broken. Go figure :)

If you can find a browser that it does not work on, then I am happy to fix it
by escaping.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-02-11:

#5

Hooray, looks like even the usual suspect IE6 isn't stupid enough to ignore a server-supplied text/plain: http://msdn.microsoft.com/en-us/library/ms775147(v=vs.85).aspx

Thanks Julian

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-02-11:

#6

On Tuesday 11 Feb 2014 00:29:58 you wrote:
> Hooray, looks like even the usual suspect IE6 isn't stupid enough to
> ignore a server-supplied text/plain: http://msdn.microsoft.com/en-> us/library/ms775147(v=vs.85).aspx
>
> Thanks Julian

\o/

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-02-11:

#7

This is CVE-2013-1070

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-02-13:

#8

Ubuntu packages have been released. Thanks!

information type:

Private Security → Public Security

MAAS Lander (maas-lander) on 2014-02-14

Changed in maas:
status:	In Progress → Fix Committed

Julian Edwards (julian-edwards) on 2014-02-18

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.