a Flash cross-domain policy which allows access from any domain.
Bug #2016278 reported by
Rishabh yadav
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
New
|
Undecided
|
Unassigned |
Bug Description
Severity: High
Confidence: Certain
Host: https:/
Path: /crossdomain.xml
Issue detail
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk
Vulnerability classifications
• CWE-942: Overly Permissive Cross-domain Whitelist
To post a comment you must log in.
Thank you for your report!
Swift provides operators with the ability to configure the policy they like, including returning a client error (effectively disabling cross-domain access). For more information, see https:/ /docs.openstack .org/swift/ latest/ middleware. html#module- swift.common. middleware. crossdomain
Thinking of Swift generally:
The crossdomain middleware is disabled by default. Operators need to explicitly configure it, or all requests to the /crossdomain.xml path will receive a client error.
If enabled, the crossdomain middleware is very permissive by default. This stems from it origin and continued use as a public cloud platform, where a permissive policy is appropriate. We may want to highlight the permissiveness of the default in docs.
As to the specific concern reported, this seems like something to take to Oracle -- though I would expect that, as a public cloud provider, they may well *want* a permissive policy.