REDHAT-BUG-288271

First published: Wed Sep 12 2007(Updated: )

reported via secalert: The graphical sealert program interprets records in the setroubleshoot database as HTML when it displays them to the user. These records include arbitrary attacker-controlled values such as the names of processes and files involved in AVC denial events, and the sealert daemon fails to properly escape those values before passing them to its HTML parser. This allows an unprivileged local attacker to inject arbitrary HTML tags into the alerts displayed by the sealert browser, altering an alert's appearance or inserting arbitrary links. There is no preview bar to show a link's target URL. When a link in the alert is clicked, the program executes the following Python code, where 'arg2' is the value of the link's href attribute: os.spawnl(os.P_NOWAIT, "/usr/bin/htmlview", "htmlview", arg2) The htmlview script executes the user's preferred web browser, which defaults to /usr/bin/firefox under RHEL 5. Since the attacker controls only one argument, it does not appear to be possible to inject arbitrary shell commands, or to cause Firefox to execute arbitrary JavaScript in chrome:/// context. However, in combination with security flaws in Firefox or any other web browser that htmlview may launch, this flaw could be used to execute arbitrary code or steal credentials.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• agent/last-modified-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2007-5496
• agent/severity
• agent/references
• agent/description
• agent/event
• agent/trending
• agent/source
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/red hat
• canonical/red hat setroubleshoot-plugins
• canonical/red hat sealert
• canonical/mozilla firefox