yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #18791
[Bug 1322197] Re: [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)
** Changed in: horizon/icehouse
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1322197
Title:
[OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name
(CVE-2014-3474)
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Dashboard (Horizon) icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Received 2014-05-20 18:52:34 UTC via encrypted E-mail from "Craig
Lorentzen (crlorent)" <crlorent@xxxxxxxxx>:
Hello Jeremy,
This is Craig Lorentzen from the Product Security Incident Response Team
(PSIRT) at Cisco Systems. The purpose of this email is to disclose to
you a vulnerability that was found during testing of a Cisco Product
using OpenStack. Below please find the original discoverer's notes.
Please let us know if there is anything else you need regarding this.
Please also provide a tracking number for our records.
-----
Headline: Persistent XSS in OpenStack Havana UI for Network Name
Platforms: OpenStack Horizon
Versions: Havana
CVSS Score: 9.0
CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C
CWE Tags:
The Openstack Horizon user interface is vulnerable to XSS. The Network Name
parameter is not properly sanitized to prevent javascript injection, leading
to persistent XSS.
Steps to reproduce:
1) Create a new network. Use:
<script>alert(1);</script>
for the network name. Disable both Subnet -> Create Subnet and Subnet Detail ->
Enable DHCP. Choose Create.
2) Select Instances -> Launch Instance. Receive alert.
Recommendations:
- Sanitize the rendering of "Network Name" string to prevent XSS.
- Consider utilizing Content Security Policy (CSP). This can be used to prevent
inline javascript from executing & only load Javascript files from approved
domains. This would prevent XSS, even in scenarios where user input is not
properly sanitized.
-----
Thank You,
Craig Lorentzen
Incident Manager
Cisco Product Security Incident Response Team
Security Research and Operations
Office: 919.574.5680
Email: crlorent@xxxxxxxxx
SIO: http://www.cisco.com/security
PGP: 0x30A6C8ED
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1322197/+subscriptions