← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1327425] Re: With default configuration Horizon is exposed to session-fixation attack

 

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1327425

Title:
  With default configuration Horizon is exposed to session-fixation
  attack

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  With the default configuration, if an attacker can obtain a sessionid
  value from a user, the attacker can view and perform actions as that
  user.  This ability does not go away after the user has logged out.

  To view a potential exploit:
  1)  Create an admin profile with access to the admin project and a non admin profile with no access to the admin project
  2)  Log in to Horizon as the admin, navigate to the project/instances page.  Launch some vms.
  3)  Open up firebug and capture the sessionid value.
  4)  Log out of the admin user.
  5)  Log in as the non admin user
  6)  navigate to the project/instances page
  7)  Use firebug to past in the admin value of the session id value
  8)  click the project/instances link again to force a round trip.
  *!* It's possible for the non admin user to view all of the admin project vms
  9)  In the action column choose More->Terminate Instance
  *!* It's possible for the non admin user to delete an admin project vm.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1327425/+subscriptions