yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #00809
[Bug 1118327] Re: Horizon Pages Loadable in Third-Party HTML Frames
** Changed in: horizon
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1118327
Title:
Horizon Pages Loadable in Third-Party HTML Frames
Status in OpenStack Dashboard (Horizon):
Fix Released
Bug description:
It is possible to load the web application in HTML FRAMES from third-
party web sites, which makes Horizon vulnerable to various client-side
attacks such as Clickjacking [1].
The following code on another webserver will load the page from
Horizon:
<html>
<title>XFS test</title>
<body>
<iframe src="https://horizonwebserver/nova/" width="100%" height="100%"></iframe>
</body>
</html>
An attacker would need to load the web application in an HTML frame
located on a third-party website. By applying an opaque overlay
containing other content over the target web application and coercing
the user to interact with the overlay, user mouse events and key
presses can be directed through to the target web application.
A successful attack could allow a malicious user to post fraudulent
transactions.
Horizon should ensure that all pages include a JavaScript Frame Killer
to ensure that the page is only loaded within frames from authorised
third-party domains or hosts. An example of such a Frame Killer is
included below.
<style> htmls{display : none}; </style>
<script> if (self == top) { document.documentElement.style.display = ?block?; } else { top.location = self.location; } </script>
Other options rely on adding the X-Frame-Options in the header. This
could be done in the web server's configuration [2], or in Django
itself [3].
[1] https://www.owasp.org/index.php/Clickjacking
[2] https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header
[3] https://docs.djangoproject.com/en/dev/ref/clickjacking/
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118327/+subscriptions