yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

Yes, I think it would make sense to issue a security note on that topic. The article by Pablo is a good read.
It's a well known issue so i'll make it public.

** Information type changed from Private Security to Public

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Won't Fix

** Changed in: horizon
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1327425

Title:
  With default configuration Horizon is exposed to session-fixation
  attack

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  With the default configuration, if an attacker can obtain a sessionid
  value from a user, the attacker can view and perform actions as that
  user.  This ability does not go away after the user has logged out.

  To view a potential exploit:
  1)  Create an admin profile with access to the admin project and a non admin profile with no access to the admin project
  2)  Log in to Horizon as the admin, navigate to the project/instances page.  Launch some vms.
  3)  Open up firebug and capture the sessionid value.
  4)  Log out of the admin user.
  5)  Log in as the non admin user
  6)  navigate to the project/instances page
  7)  Use firebug to past in the admin value of the session id value
  8)  click the project/instances link again to force a round trip.
  *!* It's possible for the non admin user to view all of the admin project vms
  9)  In the action column choose More->Terminate Instance
  *!* It's possible for the non admin user to delete an admin project vm.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1327425/+subscriptions