MAAS

MaaS API is vulnerable to XSS

  1. Series 1.4
  2. Bug #1251336
Bug #1251336 reported by Chris Glass
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
Critical
Julian Edwards
1.2
Fix Released
Critical
Julian Edwards
1.4
Fix Released
Critical
Julian Edwards

Bug Description

The MaaS API is vulnerable to Cross site scripting attacks allowing an unprivileged user to steal admin sessions.

A potential attacker can execute arbitrary javascript code in the admin's browser (in the site's document.domain) should he manage to trick him/her into clicking a forged link.

Example:
The following link can be expanded to hijack the admin user's session:

"http://192.168.100.2/MAAS/api/1.0/nodes/?op=test<script>alert(document.domain)</script>balh"

Note: some browsers (like Chrome) sanitize the URL bar, and therefore an attacker would need to craft a form (to pass the "op" parameter as a POST parameter rather than a GET).

Demonstrating the POST version can be done with:
curl --data "op=<script>alert(document.domain)</script>" http://192.168.100.2/MAAS/api/1.0/nodes/

Suggestion:
1. Sanitizing all error returned to the user via the API as "not containing the characters '<' and '>'" (since the API should only return JSON).
2. Make all API URLs return "text/json" as their only content-type will further harden the application (since browsers won't even try to interpret code on non text/html pages).

Tags: landscape

Related branches

lp://staging/~julian-edwards/maas/xss-bug-1251336
Raphaël Badin (community): Approve
Diff: 74 lines (+19/-4)
4 files modified
src/maasserver/api_support.py (+4/-2)
src/maasserver/tests/test_api.py (+11/-0)
src/maasserver/tests/test_api_enlistment.py (+1/-1)
src/maasserver/views/combo.py (+3/-1)
lp://staging/~julian-edwards/maas/1.2-xss-bug-1251336
Julian Edwards (community): Approve
Diff: 66 lines (+16/-4)
3 files modified
src/maasserver/api.py (+1/-2)
src/maasserver/tests/test_api.py (+12/-1)
src/maasserver/views/combo.py (+3/-1)
lp://staging/~julian-edwards/maas/1.4-xss-bug-1251336
Julian Edwards (community): Approve
Diff: 71 lines (+17/-4)
4 files modified
src/maasserver/api_support.py (+2/-2)
src/maasserver/tests/test_api.py (+11/-0)
src/maasserver/tests/test_api_enlistment.py (+1/-1)
src/maasserver/views/combo.py (+3/-1)
lp://staging/ubuntu/precise-security/maas
lp://staging/ubuntu/quantal-security/maas
lp://staging/ubuntu/saucy-security/maas
lp://staging/ubuntu/quantal-updates/maas

CVE References

Julian Edwards (julian-edwards)
Changed in maas:
status: New → Triaged
importance: Undecided → Critical
Julian Edwards (julian-edwards)
Changed in maas:
assignee: nobody → Julian Edwards (julian-edwards)
status: Triaged → In Progress
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Contacted Seth Arnold about this - holding off landing until packages are landed in Ubuntu.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'm afraid these patches may not be sufficient; I believe some (most?) browsers perform content introspection to determine if the server-supplied mime type is correct. If an attacker supplies some <html><script> tags in their input, a real browser may happily execute the script contents against the server's explicit demands.

If IE6 is the only browser this busted, I'm fine with this patch, but we should discover which browsers might ignore server-supplied mime types; we may need to manually escape special characters.

Thanks

Revision history for this message
Julian Edwards (julian-edwards) wrote : Re: [Bug 1251336] Re: MaaS API is vulnerable to XSS

On Friday 07 Feb 2014 21:37:32 Seth Arnold wrote:
> I'm afraid these patches may not be sufficient; I believe some (most?)
> browsers perform content introspection to determine if the server-
> supplied mime type is correct. If an attacker supplies some
> <html><script> tags in their input, a real browser may happily execute
> the script contents against the server's explicit demands.
>
> If IE6 is the only browser this busted, I'm fine with this patch, but we
> should discover which browsers might ignore server-supplied mime types;
> we may need to manually escape special characters.
>
> Thanks

This broke on Firefox and I have tested that the fix works.

Chromium was always fine and not broken. Go figure :)

If you can find a browser that it does not work on, then I am happy to fix it
by escaping.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hooray, looks like even the usual suspect IE6 isn't stupid enough to ignore a server-supplied text/plain: http://msdn.microsoft.com/en-us/library/ms775147(v=vs.85).aspx

Thanks Julian

Revision history for this message
Julian Edwards (julian-edwards) wrote :

On Tuesday 11 Feb 2014 00:29:58 you wrote:
> Hooray, looks like even the usual suspect IE6 isn't stupid enough to
> ignore a server-supplied text/plain: http://msdn.microsoft.com/en-> us/library/ms775147(v=vs.85).aspx
>
> Thanks Julian

\o/

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1070

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Ubuntu packages have been released. Thanks!

information type: Private Security → Public Security
MAAS Lander (maas-lander)
Changed in maas:
status: In Progress → Fix Committed
Julian Edwards (julian-edwards)
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.