yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1322197] Re: [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chuck Short <chuck.short@xxxxxxxxxxxxx>
Date: Thu, 07 Aug 2014 13:26:37 -0000
Reply-to: Bug 1322197 <1322197@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: horizon/icehouse
   Importance: Undecided
       Status: New

** Changed in: horizon/icehouse
    Milestone: None => 2014.1.2

** Changed in: horizon/icehouse
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1322197

Title:
  [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name
  (CVE-2014-3474)

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Dashboard (Horizon) icehouse series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Received 2014-05-20 18:52:34 UTC via encrypted E-mail from "Craig
  Lorentzen (crlorent)" <crlorent@xxxxxxxxx>:

  Hello Jeremy,

  This is Craig Lorentzen from the Product Security Incident Response Team
  (PSIRT) at Cisco Systems. The purpose of this email is to disclose to
  you a vulnerability that was found during testing of a Cisco Product
  using OpenStack.  Below please find the original discoverer's notes.
  Please let us know if there is anything else you need regarding this.
  Please also provide a tracking number for our records.

  -----

  Headline:         Persistent XSS in OpenStack Havana UI for Network Name
  Platforms:        OpenStack Horizon
  Versions:         Havana
  CVSS Score:       9.0
  CVSS Vector:      AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C
  CWE Tags:

  The Openstack Horizon user interface is vulnerable to XSS.  The Network Name
  parameter is not properly sanitized to prevent javascript injection, leading
  to persistent XSS.

  Steps to reproduce:

  1) Create a new network.  Use:

      <script>alert(1);</script>

  for the network name.  Disable both Subnet -> Create Subnet and Subnet Detail ->
  Enable DHCP.  Choose Create.

  2) Select Instances -> Launch Instance.  Receive alert.

  Recommendations:

  - Sanitize the rendering of "Network Name" string to prevent XSS.

  - Consider utilizing Content Security Policy (CSP). This can be used to prevent
  inline javascript from executing & only load Javascript files from approved
  domains.  This would prevent XSS, even in scenarios where user input is not
  properly sanitized.

  -----

  Thank You,
  Craig Lorentzen
  Incident Manager
  Cisco Product Security Incident Response Team
  Security Research and Operations
  Office: 919.574.5680
  Email: crlorent@xxxxxxxxx
  SIO: http://www.cisco.com/security
  PGP: 0x30A6C8ED

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1322197/+subscriptions