← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1289033] Re: [OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157)

 

Reviewed:  https://review.openstack.org/86054
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=1b0106e2804a45e641433c4bd459e6bed85521c3
Submitter: Jenkins
Branch:    milestone-proposed

commit 1b0106e2804a45e641433c4bd459e6bed85521c3
Author: CristianFiorentino <cristian.fiorentino@xxxxxxxxx>
Date:   Mon Mar 10 17:36:31 2014 -0300

    Introduces escaping in Horizon/Orchestration
    
    1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
    
    The "Description" parameter in a Heat template is used to populate
    a help_text tooltip in the dynamically generated Heat form. Bootstrap
    inserts this tooltip into the DOM using .html() which undoes any
    escaping we do in Django (it should be using .text()).
    
    This was fixed by forcing the help_text content to be escaped a second
    time. The issue itself is mitigated in bootstrap.js release 2.0.3
    (ours is currently 2.0.1).
    
    2) Properly escape untrusted Heat template 'outputs'
    
    The 'outputs' parameter in a Heat template was included in a Django
    template with HTML autoescaping turned off. Malicious HTML content
    could be included in a Heat template and would be rendered by Horizon
    when details about a created stack were displayed.
    
    This was fixed by not disabling autoescaping and explicitly escaping
    untrusted values in any strings that are later marked "safe" to render
    without further escaping.
    
    Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
    Closes-Bug: #1289033
    Co-Authored-By: Kieran Spear <kispear@xxxxxxxxx>


** Changed in: horizon
       Status: Fix Committed => Fix Released

** Changed in: horizon/havana
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1289033

Title:
  [OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157)

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Dashboard (Horizon) havana series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  *Description*
  XSS vulnerability identified in Horizon-Orchestration while uploading a stack template.
  Arbitrary Javascript code may be introduced via the "Description" fields of Heat templates; such code was found to be executed by Horizon.

  *Threat Description*
  -Potential Adversaries: malicious Heat templates owners/malicious Heat templates catalogs.
  -Potential Assets: horizon user/admin access credentials (session cookies/CSRF tokens), VMs/Network configuration/management, tenants confidential informartion, etc.
  -Potential Threats: Malicious Heat template owner/catalog makes an Horizon user to utilize a malicious template, which once introduced in Horizon obtains user access credentials and send them back to the attacker. 

  *Environment*
  One node with Devstack over Ubuntu13.10, latest Icehouse code, Firefox web browser and the following OpenStack configuration:
  shell, key, horizon, g-reg, g-api, n-api, n-cpu, n-cond, n-crt, n-net, n-sch, n-novnc, n-xvnc, n-cauth, n-obj, c-api, c-sch, c-vol, ceilometer-acompute, ceilometer-acentral, ceilometer-collector, ceilometer-api, ceilometer-alarm-notifier, ceilometer-alarm-evaluator, h-eng, h-api, h-api-cfn, h-api-cw  

  *Steps to reproduce*
  1- Sign-in to Horizon and click on Orchestration/Stack section.
  2- Click on "Launch Stack"
  3- Select "Direct input", and copy-paste into "Template data" the contents of some template (I have used: 
  https://github.com/openstack/heat-templates/blob/master/cfn/F17/AutoScalingMultiAZSample.template)
  4- Update the contents of the DBUsername "Description" field with the following:
     "DBUsername": {
  	...
        "Description" : "<script>alert('XSS!!!')</script>",
  	...
      },
  5- Click on Next
  6- Being on the Launch Stack form, click on DBUsername text box as if you were going to modify its value.
  7- A pop-up saying "XSS!!!" will appear, confirming the XSS vulnerability.

  *How to fix*
  - Perform input validation for "Description" fields in templates (need to take into account all template input methods: upload from URL, upload from file, direct input).
  - Perform output sanitization when displaying template's "Description" messages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1289033/+subscriptions