Comment 8 for bug 1327414

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: www-authenticate value isn't quoted

@notmyname Isn't Swift 1.11.0 (havana) still supported ? I think we'll need patch for this version as well.

Also testing the url in the bug description didn't reveal any assets, only remote code execution in browser context from swift server, and Swift does not use cookies or CSRF tokens.
I assumed a more complex attack, where the extra parameter would be happened to a valid Swift URL.
Please advice if this description is not complete.

Here is impact description #1:

Title: XSS in Swift requests through WWW-Authenticate parameter
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Description:
Globo.com Security Team reported a vulnerability in Swift requests parameter escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may trigger an XSS out of the Swift domain, resulting in potential assets stealing like authentication tokens. All Swift setups are affected.