| Thread Previous • Date Previous • Date Next • Thread Next |
** Changed in: ossn
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1327425
Title:
With default configuration Horizon is exposed to session-fixation
attack
Status in OpenStack Dashboard (Horizon):
Won't Fix
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
With the default configuration, if an attacker can obtain a sessionid
value from a user, the attacker can view and perform actions as that
user. This ability does not go away after the user has logged out.
To view a potential exploit:
1) Create an admin profile with access to the admin project and a non admin profile with no access to the admin project
2) Log in to Horizon as the admin, navigate to the project/instances page. Launch some vms.
3) Open up firebug and capture the sessionid value.
4) Log out of the admin user.
5) Log in as the non admin user
6) navigate to the project/instances page
7) Use firebug to past in the admin value of the session id value
8) click the project/instances link again to force a round trip.
*!* It's possible for the non admin user to view all of the admin project vms
9) In the action column choose More->Terminate Instance
*!* It's possible for the non admin user to delete an admin project vm.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1327425/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
