Jenkins fails to sanitize input before adding it to the page

2014.01.17

Credit: Murray McAllister

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2013-6488

CWE: N/A

Hi all,
We recently received a report from Teguh P. Alko about an issue affecting Jenkins. Input was not sanitized before adding it to the page. The fix is public here since the start of 2013:
https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e
This could be used for copy and paste attacks, with the end result being similar to that of cross-site scripting attacks. It has been assigned CVE-2013-6488.
Please credit at least "Teguh P. Alko" in any advisories.
I am Cc'ing Reed to see if he knows who the other independent reporter is (from that Jira "SECURITY-46" bug in the above commit; as I understand it those bugs are not made public but I could be wrong).
war/src/main/webapp/scripts/hudson-behavior.js
@@ -1635,7 +1635,7 @@ function createSearchBox(searchURL) {
function updatePos() {
function max(a,b) { if(a>b) return a; else return b; }
- sizer.innerHTML = box.value;
+ sizer.innerHTML = box.value.escapeHTML();
var w = max(sizer.offsetWidth,minW.offsetWidth);
box.style.width =
comp.style.width =

References:

https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Jenkins fails to sanitize input before adding it to the page

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.