yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #21298
[Bug 1369880] [NEW] Autocomplete HTML Attribute Not Disabled for Password Field in Horizon
Public bug reported:
Risk: It maybe possible to bypass the web application's authentication
mechanism.
Recommend fix: Correctly set the "autocomplete" attribute to "off"
Affected URL: https://Ip_address/settings/password/
https://Ip_address/auth/login/
Take the second URL's test result and response for example:
GET /auth/login/?next=/admin/flavors/ HTTP/1.1
Cookie: csrftoken=jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy; sessionid=t5b0864y0q00ridvvh5hniczvv40pl4s
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://9.5.29.52/auth/login/?next=/admin/flavors/
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
HTTP/1.1 200 OK
Date: Thu, 11 Sep 2014 13:49:17 GMT
Server: Apache
Content-Language: en
Expires: Thu, 11 Sep 2014 13:49:17 GMT
Vary: Cookie,Accept-Language,Accept-Encoding
Cache-Control: max-age=0
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 11 Sep 2014 13:49:17 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Set-Cookie: csrftoken=jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy; expires=Thu, 10-Sep-2015 13:49:19 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: sessionid=t5b0864y0q00ridvvh5hniczvv40pl4s; httponly; Path=/; secure
<!DOCTYPE html>
<html>
<head>
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Login - Cloud Management Dashboard</title>
<!--
Copyright 2014 IBM Corp.
Copyright 2014 OpenStack Foundation and others
-->
<link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="splash" ng-app='hz'>
<!--
Copyright 2014 IBM Corp.
2014/9/12 222
Copyright 2014 OpenStack Foundation and others
-->
<div id="" class="login ">
<div class="">
<div class="">
<div class="modal-header">
<h3>Cloud Management Dashboard</h3>
</div>
<form id=""
ng-controller="DummyCtrl"
name=""
autocomplete="on"
class=""
action="/auth/login/"
method="POST"
><input type='hidden' name='csrfmiddlewaretoken' value='jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy' />
<div class="modal-body clearfix">
<fieldset>
<div class="form-group clearfix error">
<span class="help-block"><p>You do not have permission to access the resource:</p>
<p><b>/admin/flavors/</b></p>
<p>Login as different user or go back to <a href="/home/"> home page</a></p>
</span>
</div>
<input type="hidden" name="next" value="/admin/flavors/" />
<input id="id_region" name="region" type="hidden" value="http://9.5.29.52:5000/v2.0"; />
<!-- <div class="form-group form-field clearfix ">
<label for="id_username">User Name:</label>
<span class="help-block"> </span>
<input autofocus="autofocus" id="id_username" name="username" type="text" />
</div>
-->
<div class="form-group ">
<label class="control-label " for="id_username">User Name</label>
<div class=" ">
<input autofocus="autofocus" class=" form-control" id="id_username" name="username" type="text" />
</div>
</div>
<!-- <div class="form-group form-field clearfix ">
<label for="id_password">Password:</label>
<span class="help-block"> </span>
<input id="id_password" name="password" type="password" /> ---------------------------->> issue here
</div>
-->
<div class="form-group ">
<label class="control-label " for="id_password">Password</label>
<div class=" ">
<input class=" form-control" id="id_password" name="password" type="password" /> ------------------->>issue here
</div>
</div>
</fieldset>
</div>
<div class="modal-footer">
<button type="submit" class="btn btn-primary pull-right">Sign In</button>
<div class="openstack-logo"></div>
<div class="copyright">
Licensed Materials - Property of IBM Corp. 5765-SKC<br/>
© Copyright IBM Corp. 2010, 2014 All Rights Reserved<br/>
© Copyright 2014 OpenStack Foundation and others
</div>
</div>
</form>
</div>
</div>
</div>
2014/9/12 223
TOC
<div id="footer">
</div>
<!--
Copyright 2014 IBM Corp.
Copyright 2014 OpenStack Foundation and oth
...
...
...
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369880
Title:
Autocomplete HTML Attribute Not Disabled for Password Field in Horizon
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Risk: It maybe possible to bypass the web application's
authentication mechanism.
Recommend fix: Correctly set the "autocomplete" attribute to "off"
Affected URL: https://Ip_address/settings/password/
https://Ip_address/auth/login/
Take the second URL's test result and response for example:
GET /auth/login/?next=/admin/flavors/ HTTP/1.1
Cookie: csrftoken=jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy; sessionid=t5b0864y0q00ridvvh5hniczvv40pl4s
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://9.5.29.52/auth/login/?next=/admin/flavors/
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
HTTP/1.1 200 OK
Date: Thu, 11 Sep 2014 13:49:17 GMT
Server: Apache
Content-Language: en
Expires: Thu, 11 Sep 2014 13:49:17 GMT
Vary: Cookie,Accept-Language,Accept-Encoding
Cache-Control: max-age=0
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 11 Sep 2014 13:49:17 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Set-Cookie: csrftoken=jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy; expires=Thu, 10-Sep-2015 13:49:19 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: sessionid=t5b0864y0q00ridvvh5hniczvv40pl4s; httponly; Path=/; secure
<!DOCTYPE html>
<html>
<head>
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Login - Cloud Management Dashboard</title>
<!--
Copyright 2014 IBM Corp.
Copyright 2014 OpenStack Foundation and others
-->
<link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="splash" ng-app='hz'>
<!--
Copyright 2014 IBM Corp.
2014/9/12 222
Copyright 2014 OpenStack Foundation and others
-->
<div id="" class="login ">
<div class="">
<div class="">
<div class="modal-header">
<h3>Cloud Management Dashboard</h3>
</div>
<form id=""
ng-controller="DummyCtrl"
name=""
autocomplete="on"
class=""
action="/auth/login/"
method="POST"
><input type='hidden' name='csrfmiddlewaretoken' value='jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy' />
<div class="modal-body clearfix">
<fieldset>
<div class="form-group clearfix error">
<span class="help-block"><p>You do not have permission to access the resource:</p>
<p><b>/admin/flavors/</b></p>
<p>Login as different user or go back to <a href="/home/"> home page</a></p>
</span>
</div>
<input type="hidden" name="next" value="/admin/flavors/" />
<input id="id_region" name="region" type="hidden" value="http://9.5.29.52:5000/v2.0"; />
<!-- <div class="form-group form-field clearfix ">
<label for="id_username">User Name:</label>
<span class="help-block"> </span>
<input autofocus="autofocus" id="id_username" name="username" type="text" />
</div>
-->
<div class="form-group ">
<label class="control-label " for="id_username">User Name</label>
<div class=" ">
<input autofocus="autofocus" class=" form-control" id="id_username" name="username" type="text" />
</div>
</div>
<!-- <div class="form-group form-field clearfix ">
<label for="id_password">Password:</label>
<span class="help-block"> </span>
<input id="id_password" name="password" type="password" /> ---------------------------->> issue here
</div>
-->
<div class="form-group ">
<label class="control-label " for="id_password">Password</label>
<div class=" ">
<input class=" form-control" id="id_password" name="password" type="password" /> ------------------->>issue here
</div>
</div>
</fieldset>
</div>
<div class="modal-footer">
<button type="submit" class="btn btn-primary pull-right">Sign In</button>
<div class="openstack-logo"></div>
<div class="copyright">
Licensed Materials - Property of IBM Corp. 5765-SKC<br/>
© Copyright IBM Corp. 2010, 2014 All Rights Reserved<br/>
© Copyright 2014 OpenStack Foundation and others
</div>
</div>
</form>
</div>
</div>
</div>
2014/9/12 223
TOC
<div id="footer">
</div>
<!--
Copyright 2014 IBM Corp.
Copyright 2014 OpenStack Foundation and oth
...
...
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369880/+subscriptions
Follow ups
References
