Defect #19117

XSS Vulnerability in Flash rendering

Added by Jan from Planio www.plan.io over 6 years ago. Updated almost 6 years ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:Fixed Affected version:

Description

Summary

There one one confirmed and several potential XSS vulnerabilities in
Redmine's flash rendering.

Description

When rendering flash messages, Redmine unconditionally marks the
rendered messages as html_safe. This leads to all html special
characters in the flash message to be rendered as HTML unless they are
manually escaped beforehand.

In several places in Redmine, the message is not sufficiently escaped
and allows the rendering of raw, user-supplied values.

Example exploit:

Given a user with the following string configured as the email address
(which is accepted by the mail validations):

"><script>alert('Vulnerable!')</script>"

When that user sends himself a test mail using the admin/test_mail
action, the configured email is pushed unescaped in the flash message,
resulting in the included javascript to be executed.

This can be used in a targeted attack as a reflected XSS to perform
actions as an administrator.

The attached patch also fixes other places where potentially unsafe
information is passed in a flash message, including an issue similar to
the one described above concerning mail registration.

This vulnerability is in Redmine since at least 2.3, possibly much
longer. It is advised to backport the patch to all supported versions of
Redmine and to release updated versions.

Credits

This issue was discovered by Holger Just of Planio.

Solution

Attach the patch against current Redmine trunk (redmine:r14014) attached to this
mail.

0001-Fix-potential-XSS-in-flash-rendering.patch Magnifier (2.33 KB) Jan from Planio www.plan.io, 2015-02-16 21:30

Associated revisions

Revision 14016
Added by Jean-Philippe Lang over 6 years ago

Escape flash messages (#19117).

History

#1 Updated by Jean-Philippe Lang over 6 years ago

Committed in trunk (r14016) and 2.6-stable (r14017), thanks for reporting this out.

As for any XSS vulnerability, I'll add an entry to the Security_Advisories page for this but I'll mark it as low severity as it could hardly be used for an effective attack.

#3 Updated by Jean-Philippe Lang almost 6 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

#4 Updated by Jan from Planio www.plan.io almost 6 years ago

  • Project changed from Security to Redmine
  • Category set to Security

Moving to public project, so it becomes visible.

Also available in: Atom PDF