CVE-2016-6519: openstack-manila: Persistent XSS in Metadata field

[Marcus Meissner <meissner () suse de>]

Hi,

One of SUSE customers has found Persistent XSS in Metadata field in Openstack Manila.

Openstack Manila is currently not covered by the Openstack Security Team, so they
defered announcement to us.

------------------------------------

CVE-2016-6519: OpenStack manila-ui: Persistent XSS in Metadata field

It was discovered that the Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript 
code that will be reflected in the "Shares" overview. The issue comes from a mark_safe() call on the user supplied 
metadata.

https://github.com/openstack/manila-ui/blob/d5fe23e4ba30846acdd09fa1dc61a415016a7e26/manila_ui/dashboards/project/shares/shares/tabs.py#L49

Remote, authenticated, but unprivileged users could exploit this vulnerability to escalate privileges by stealing 
session cookies.

Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to 
reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the 
following payload:

a=<script>alert("test")/*
b=*/<script>

As soon as the share is created, the payload is reflected in the browser. It will also be reflected each time the 
Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).

The issue was discovered by Niklaus Schiess, the fix was provided Valeriy Ponomaryov.

MITRE assigned CVE-2016-6519 to this issue.
The upstream bug is https://bugs.launchpad.net/manila-ui/+bug/1597738
The SUSE bug is https://bugzilla.suse.com/show_bug.cgi?id=988935
SUSE's evaluation has a CVSS base score 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

-----------------------------------

The proposed upstream fix is attached.

Ciao, Marcus

Attachment: fix_v2_for_bug_1597738_stable_mitaka_and_liberty.txt
Description: