| 2015-02-03 20:54:15 |
Jason Hullinger |
bug |
|
|
added bug |
| 2015-02-03 21:12:40 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2015-02-03 21:12:46 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2015-02-03 22:59:12 |
Grant Murphy |
description |
The error reporting in Horizon for creating a new network is susceptible to a Cross-Site Scripting vulnerability. Example request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img src=zz onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction": {"net_profile_id": ["Select a valid choice. <img src=zz onerror=alert(1)> is not one of the available choices."]}}, "workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json response contains the user input and Horizon echo's it out. Although it would be difficult to exploit this vulnerability because an attacker would need to manipulate the hidden HTML net_profile_id parameter or the POST body, Horizon should still HTML encode the output. |
---
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
---
The error reporting in Horizon for creating a new network is susceptible to a Cross-Site Scripting vulnerability. Example request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img src=zz onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction": {"net_profile_id": ["Select a valid choice. <img src=zz onerror=alert(1)> is not one of the available choices."]}}, "workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json response contains the user input and Horizon echo's it out. Although it would be difficult to exploit this vulnerability because an attacker would need to manipulate the hidden HTML net_profile_id parameter or the POST body, Horizon should still HTML encode the output. |
|
| 2015-02-05 13:17:08 |
Thierry Carrez |
bug |
|
|
added subscriber Horizon Core security contacts |
| 2015-03-09 14:10:50 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2015-03-09 14:11:01 |
Jeremy Stanley |
tags |
|
security |
|
| 2015-03-09 14:11:09 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2015-03-09 22:47:08 |
Lin Hua Cheng |
horizon: milestone |
|
kilo-3 |
|
| 2015-03-19 14:39:40 |
Thierry Carrez |
horizon: milestone |
kilo-3 |
kilo-rc1 |
|
| 2015-03-24 13:52:12 |
David Lyle |
horizon: importance |
Undecided |
Medium |
|
| 2015-03-25 19:55:48 |
David Lyle |
horizon: milestone |
kilo-rc1 |
liberty-1 |
|
| 2015-03-25 19:56:12 |
David Lyle |
tags |
security |
kilo-rc-potential security |
|
| 2015-04-14 15:49:28 |
David Lyle |
tags |
kilo-rc-potential security |
security |
|
| 2015-04-14 21:26:28 |
Jeremy Stanley |
description |
---
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
---
The error reporting in Horizon for creating a new network is susceptible to a Cross-Site Scripting vulnerability. Example request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img src=zz onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction": {"net_profile_id": ["Select a valid choice. <img src=zz onerror=alert(1)> is not one of the available choices."]}}, "workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json response contains the user input and Horizon echo's it out. Although it would be difficult to exploit this vulnerability because an attacker would need to manipulate the hidden HTML net_profile_id parameter or the POST body, Horizon should still HTML encode the output. |
The error reporting in Horizon for creating a new network is susceptible to a Cross-Site Scripting vulnerability. Example request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img src=zz onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction": {"net_profile_id": ["Select a valid choice. <img src=zz onerror=alert(1)> is not one of the available choices."]}}, "workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json response contains the user input and Horizon echo's it out. Although it would be difficult to exploit this vulnerability because an attacker would need to manipulate the hidden HTML net_profile_id parameter or the POST body, Horizon should still HTML encode the output. |
|
| 2015-06-23 17:18:31 |
Doug Hellmann |
horizon: milestone |
liberty-1 |
liberty-2 |
|
| 2015-07-28 19:41:49 |
Doug Hellmann |
horizon: milestone |
liberty-2 |
liberty-3 |
|
| 2015-09-03 15:27:19 |
Thierry Carrez |
horizon: milestone |
liberty-3 |
liberty-rc1 |
|
| 2015-09-16 12:16:34 |
David Lyle |
horizon: milestone |
liberty-rc1 |
next |
|
| 2016-04-21 16:07:41 |
Adriano |
horizon: assignee |
|
Adriano (dritec) |
|
| 2016-05-03 20:48:34 |
Adriano |
horizon: assignee |
Adriano (dritec) |
|
|
