Bug 44498

Summary:	UMC doesn't escape HTML from dpkg
Product:	UCS	Reporter:	Daniel Tröder <troeder>
Component:	UMC (Generic)	Assignee:	Florian Best <best>
Status:	CLOSED FIXED	QA Contact:	Dirk Wiesenthal <wiesenthal>
Severity:	normal
Priority:	P5	CC:	best, damrose, gohmann, klaeser, troeder, walkenhorst
Version:	UCS 4.2	Flags:	best: Patch_Available+
Target Milestone:	UCS 4.2-0-errata
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=43755
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:
Bug Depends on:	44489
Bug Blocks:
Attachments:	patch

Description Daniel Tröder

2017-04-28 09:30:48 CEST

I don't know who is responsible for escaping it (UMC, app center, updater), please adapt component and title accordingly.

+++ This bug was initially created as a clone of Bug #44489 +++

While installing univention-spamassassin (as part of the kopano-core installation) the following is logged in umc-module-appcenter.log

27.04.17 14:37:32.575  MODULE      ( PROCESS ) : http: GET http://sa-update.secnap.net/1786640.tar.gz request failed: 404 Not Found: <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.6.2</center> </body> </html>

As the error from the webpage is html formatted, it was displayed in huge letters in the progress bar.

==============================================================

This seems to me like a code injection vector!

Comment 1 Florian Best

2017-05-23 11:15:34 CEST

Created attachment 8872 [details]
patch

Comment 2 Florian Best

2017-05-24 12:53:32 CEST

This has already been improved in UCS 4.2 but I made the escaping much more explicit and moved it into the ProgressBar widget of univention-web itself.

univention-appcenter (6.0.7-14):
r79639 | Bug #44498: escape HTML in progressbar messages

univention-web (1.0.42-17):
r79640 | Bug #44498: escape HTML in progressbar messages

univention-appcenter.yaml:
r79641 | YAML Bug #44498

univention-web.yaml:
r79641 | YAML Bug #44498

Comment 3 Dirk Wiesenthal

2017-06-14 05:39:12 CEST

OK, works.

Comment 4 Janek Walkenhorst

2017-06-15 13:28:33 CEST

Mismatching binary package version: 1.0.42-15A~4.2.0.201705231328 != univention-web-js 1.0.42-17A~4.2.0.201705241252 from univention-web 1.0.42-17A~4.2.0.201705241252

Comment 5 Janek Walkenhorst

2017-06-15 17:58:12 CEST

<http://errata.software-univention.de/ucs/4.2/31.html>
<http://errata.software-univention.de/ucs/4.2/38.html>