Bug #5502

Script injection in SPICE viewer (only Firefox)

Added by Abel Coronado about 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:10/26/2017
Priority:NormalDue date:
Assignee:Abel Coronado% Done:

100%

Category:Sunstone
Target version:Release 5.4.3
Resolution:fixed Pull request:
Affected Versions:Development

Description

SPICE viewer use title parameter (VM name) to insert in the DOM HTML.

When you click on a new tab, the url is like this http://localhost:9869/spice?host=localhost&port=29876&token=q1men35mijak0k6pryde&password=null&encrypt=no&title=spice-24

If the name of your machine is:

</title><script>alert('hacked')</script>

Or inject the script in the url:

title=</title><script>alert('hacked')</script>

This will happen

Malicious characters should be escaped to avoid this (e.g. <, >)

js-injection.png (74.6 KB) Abel Coronado, 10/26/2017 09:02 AM

Associated revisions

Revision 7ca14d2d
Added by Abel Coronado about 3 years ago

B #5502: Script injection in SPICE viewer (#546)

Revision bcefb74d
Added by Abel Coronado about 3 years ago

B #5502: Script injection in SPICE viewer (#546)

(cherry picked from commit 7ca14d2d8984a9a50d2140b7a13693a6a3fdd4ea)

History

#1 Updated by Ruben S. Montero about 3 years ago

  • Status changed from Pending to Closed
  • Resolution set to fixed

Also available in: Atom PDF