-
Bug
-
Resolution: Fixed
-
Minor
-
Operating System
-bash-4.1$ cat /etc/oracle-release && uname -a
Oracle Linux Server release 6.5
Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux
Java
-bash-4.1$ /etc/alternatives/java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
Jenkins & Plugins
System Properties
Name ↓
Value
awt.toolkit sun.awt.X11.XToolkit
executable-war /usr/lib/jenkins/jenkins.war
file.encoding UTF-8
file.encoding.pkg sun.io
file.separator /
hudson.diyChunking true
hudson.DNSMultiCast.disabled true
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.awt.headless true
java.awt.printerjob sun.print.PSPrinterJob
java.class.path /usr/lib/jenkins/jenkins.war
java.class.version 52.0
java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed
java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext
java.home /usr/java/jdk1.8.0_40/jre
java.io.tmpdir /tmp
java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.8.0_40-b26
java.specification.name Java Platform API Specification
java.specification.vendor Oracle Corporation
java.specification.version 1.8
java.vendor Oracle Corporation
java.vendor.url http://java.oracle.com/
java.vendor.url.bug http://bugreport.sun.com/bugreport/
java.version 1.8.0_40
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Oracle Corporation
java.vm.specification.version 1.8
java.vm.vendor Oracle Corporation
java.vm.version 25.40-b25
JENKINS_HOME /apps/jenkins
jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib
jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp
line.separator
mail.smtp.sendpartial true
mail.smtps.sendpartial true
os.arch amd64
os.name Linux
os.version 3.8.13-68.2.2.el6uek.x86_64
path.separator :
sun.arch.data.model 64
sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes
sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64
sun.cpu.endian little
sun.cpu.isalist
sun.font.fontmanager sun.awt.X11FontManager
sun.io.unicode.encoding UnicodeLittle
sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
sun.java.launcher SUN_STANDARD
sun.jnu.encoding UTF-8
sun.management.compiler HotSpot 64-Bit Tiered Compilers
sun.os.patch.level unknown
user.country US
user.dir /
user.home /var/lib/jenkins
user.language en
user.name jenkins
user.timezone America/Chicago
Environment Variables
Name ↓
Value
_ /etc/alternatives/java
HOME /var/lib/jenkins
LANG en_US.UTF-8
LOGNAME jenkins
NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat
PATH /sbin:/usr/sbin:/bin:/usr/bin
PWD /
SHELL /bin/bash
SHLVL 2
TERM xterm-256color
USER jenkins
XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt
Plugins
Name ↓
Version
Enabled
Pinned
ant 1.2 true false
antisamy-markup-formatter 1.3 true true
cloudbees-folder 4.10 true false
credentials 1.24 true true
credentials-binding 1.6 true false
cvs 2.12 false true
external-monitor-job 1.4 true false
git 2.4.0 true false
git-client 1.19.0 true false
javadoc 1.3 true true
junit 1.9 true true
ldap 1.11 true false
mailer 1.15 true true
matrix-auth 1.2 true true
matrix-project 1.6 true true
maven-plugin 2.12.1 true true
metrics 3.1.2 true false
pam-auth 1.2 true true
plain-credentials 1.1 true false
reverse-proxy-auth-plugin 1.4.0 true false
saml 0.4 false false
scm-api 0.2 true false
script-security 1.15 true true
shiningpanda 0.22 true false
ssh-agent 1.8 true false
ssh-credentials 1.11 true true
ssh-slaves 1.10 true true
suppress-stack-trace 1.4 true false
translation 1.12 false true
windows-slaves 1.1 false true
workflow-step-api 1.10.1 true false
Jenkins running directly (no container)
Jenkins accessed via reverse proxy
Access Control: HTTP Header by reverse proxyOperating System -bash-4.1$ cat /etc/oracle-release && uname -a Oracle Linux Server release 6.5 Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux Java -bash-4.1$ /etc/alternatives/java -version java version "1.8.0_40" Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode) Jenkins & Plugins System Properties Name ↓ Value awt.toolkit sun.awt.X11.XToolkit executable-war /usr/lib/jenkins/jenkins.war file.encoding UTF-8 file.encoding.pkg sun.io file.separator / hudson.diyChunking true hudson.DNSMultiCast.disabled true java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.path /usr/lib/jenkins/jenkins.war java.class.version 52.0 java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext java.home /usr/java/jdk1.8.0_40/jre java.io.tmpdir /tmp java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.8.0_40-b26 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 1.8 java.vendor Oracle Corporation java.vendor.url http://java.oracle.com/ java.vendor.url.bug http://bugreport.sun.com/bugreport/ java.version 1.8.0_40 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 1.8 java.vm.vendor Oracle Corporation java.vm.version 25.40-b25 JENKINS_HOME /apps/jenkins jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp line.separator mail.smtp.sendpartial true mail.smtps.sendpartial true os.arch amd64 os.name Linux os.version 3.8.13-68.2.2.el6uek.x86_64 path.separator : sun.arch.data.model 64 sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64 sun.cpu.endian little sun.cpu.isalist sun.font.fontmanager sun.awt.X11FontManager sun.io.unicode.encoding UnicodeLittle sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level unknown user.country US user.dir / user.home /var/lib/jenkins user.language en user.name jenkins user.timezone America/Chicago Environment Variables Name ↓ Value _ /etc/alternatives/java HOME /var/lib/jenkins LANG en_US.UTF-8 LOGNAME jenkins NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat PATH /sbin:/usr/sbin:/bin:/usr/bin PWD / SHELL /bin/bash SHLVL 2 TERM xterm-256color USER jenkins XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt Plugins Name ↓ Version Enabled Pinned ant 1.2 true false antisamy-markup-formatter 1.3 true true cloudbees-folder 4.10 true false credentials 1.24 true true credentials-binding 1.6 true false cvs 2.12 false true external-monitor-job 1.4 true false git 2.4.0 true false git-client 1.19.0 true false javadoc 1.3 true true junit 1.9 true true ldap 1.11 true false mailer 1.15 true true matrix-auth 1.2 true true matrix-project 1.6 true true maven-plugin 2.12.1 true true metrics 3.1.2 true false pam-auth 1.2 true true plain-credentials 1.1 true false reverse-proxy-auth-plugin 1.4.0 true false saml 0.4 false false scm-api 0.2 true false script-security 1.15 true true shiningpanda 0.22 true false ssh-agent 1.8 true false ssh-credentials 1.11 true true ssh-slaves 1.10 true true suppress-stack-trace 1.4 true false translation 1.12 false true windows-slaves 1.1 false true workflow-step-api 1.10.1 true false Jenkins running directly (no container) Jenkins accessed via reverse proxy Access Control: HTTP Header by reverse proxy
With "safe html" enabled for user text entry, a form with an external action URI is scrubbed. However, is it possible to write a form having a protocol-relative action URI that could be used to leak sensitive data to an external service.
For example, this HTML is scrubbed correctly with the form action removed:
<form action="https://malicious.com">
<input type="submit">
</form>
The form action in this example is not scrubbed and it is possible for a user to create a form that directs to an external site:
<form action="//malicious.com">
<input type="submit">
</form>
- links to
[JENKINS-31616] "Safe HTML" vulnerable to protocol-relative form action
Josh Cook
added a comment - Thank you for the feedback Daniel. I read the instructions for "How to report an issue" <https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue> however I overlooked the line instructing that this ticket should have been reported to the "Security Issues" project.
Do you think it would be helpful to add more prominent instructions to that page specifically relating to reporting security issues?
Josh Cook
added a comment - Thank you for the feedback Daniel. I read the instructions for "How to report an issue" < https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue > however I overlooked the line instructing that this ticket should have been reported to the "Security Issues" project.
Do you think it would be helpful to add more prominent instructions to that page specifically relating to reporting security issues? Everything is kind of important. That's why the page is as long as it is and stuff easy to overlook 
We're also mentioning how to do this e.g. here which is linked from every wiki page's menu… so… I don't know.
FWIW for the upcoming site design I want to make both the advisories and instructions how to report more accessible.
Still, how serious is this, really? I'd actually expect it to be fairly minor. You submit a form, it goes… somewhere. Is there an expectation that forms cannot go elsewhere?
Josh Cook
added a comment - My corporate Information Security team reported this to me as a "High" severity vulnerability, requiring executive-level approval for an exemption. It is very important to my team that we get Jenkins passing their security audits with as few exceptions as possible.
My understanding of the "Safe HTML" policy is that form actions should be disallowed from having an offsite action URL, so even if you consider this a minor security vulnerability, it remains a bug in the policy.
I don't know what all possible exploits this opens, but presumably it could be used by a malicious user to implement a phishing attack by directing other users to an offsite page that looks like Jenkins but is actually not.
Josh Cook
added a comment - My corporate Information Security team reported this to me as a "High" severity vulnerability, requiring executive-level approval for an exemption. It is very important to my team that we get Jenkins passing their security audits with as few exceptions as possible.
My understanding of the "Safe HTML" policy is that form actions should be disallowed from having an offsite action URL, so even if you consider this a minor security vulnerability, it remains a bug in the policy.
I don't know what all possible exploits this opens, but presumably it could be used by a malicious user to implement a phishing attack by directing other users to an offsite page that looks like Jenkins but is actually not.
It looks like we inherited this issue from upstream (OWASP AntiSamy's Myspace policy definition).
Workaround would be to use the plain text formatter and so just disable all user-entered HTML.
Code changed in jenkins
User: Daniel Beck
Path:
src/main/java/hudson/markup/MyspacePolicy.java
src/test/java/hudson/markup/MyspacePolicyTest.java
http://jenkins-ci.org/commit/antisamy-markup-formatter-plugin/bf3758df15828bec772322fd7ad629df1d40571c
Log:
[FIX JENKINS-31616] Prohibit scheme-relative URLs
Code changed in jenkins
User: Steven Christou
Path:
src/main/java/hudson/markup/MyspacePolicy.java
src/test/java/hudson/markup/MyspacePolicyTest.java
http://jenkins-ci.org/commit/antisamy-markup-formatter-plugin/3f7c587cde27d59d4d549f5a5a5c15ddf66631e4
Log:
Merge pull request #4 from daniel-beck/JENKINS-31616
[FIX JENKINS-31616] Prohibit scheme-relative URLs
Compare: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/compare/d4c35338718a...3f7c587cde27
Can't be critical if you cannot be bothered to report this privately.