Bug #5502: Script injection in SPICE viewer (only Firefox) - OpenNebula - OpenNebula Development pages

Bug #5502

Script injection in SPICE viewer (only Firefox)

Added by Abel Coronado over 3 years ago. Updated over 3 years ago.

Status:

Closed

Start date:

10/26/2017

Priority:

Normal

Due date:

Assignee:

Abel Coronado

% Done:

100%

Category:

Sunstone

Target version:

Release 5.4.3

Resolution:

fixed

Pull request:

Affected Versions:

Development

Description

SPICE viewer use title parameter (VM name) to insert in the DOM HTML.

When you click on a new tab, the url is like this http://localhost:9869/spice?host=localhost&port=29876&token=q1men35mijak0k6pryde&password=null&encrypt=no&title=spice-24

If the name of your machine is:

</title><script>alert('hacked')</script>

Or inject the script in the url:

title=</title><script>alert('hacked')</script>

This will happen

Malicious characters should be escaped to avoid this (e.g. <, >)

js-injection.png (74.6 KB) Abel Coronado, 10/26/2017 09:02 AM

Associated revisions

Revision 7ca14d2d
Added by Abel Coronado over 3 years ago

B #5502: Script injection in SPICE viewer (#546)

Revision bcefb74d
Added by Abel Coronado over 3 years ago

B #5502: Script injection in SPICE viewer (#546)

(cherry picked from commit 7ca14d2d8984a9a50d2140b7a13693a6a3fdd4ea)

History

#1 Updated by Ruben S. Montero over 3 years ago

Status changed from Pending to Closed
Resolution set to fixed

Also available in: Atom PDF

OpenNebula

Issues

Custom queries

Bug #5502

Script injection in SPICE viewer (only Firefox)

Associated revisions

History

#1 Updated by Ruben S. Montero over 3 years ago