← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1369865] [NEW] Permanent Cookie Contains Sensitive Session Information

 

Public bug reported:

Affected URL: https://Ip_address/admin/
Entity: csrftoken (Cookie)
Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies.

Causes: The web application stores sensitive session information in a
permanent cookie (on disk)

Recommend Fix: Avoid storing sensitive session information in permanent
cookies

Test requests and response:
GET /admin/ HTTP/1.1
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://9.5.29.52/
Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 07:52:50 GMT
Server: Apache
Vary: Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
<!DOCTYPE html>
<html>
<head>
2014/9/12 516
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Usage Overview - Cloud Management Dashboard</title>
<!--
Copyright 2014 IBM Corp.
Copyright 2014 OpenStack Foundation and others
-->
<link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="" ng-app='hz'>
<div id="container">
<div class='topbar'>
<!--
Copyright 2014 IBM Corp.
Copyright 2014 OpenStack Foundation and others
-->
<h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
<div id="user_info" class="pull-right">
<div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
<div>admin</div>
</div>
<div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
<a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
<div>admin</div>
</a>
<ul id="editor_list" class="dropdown-menu">
<li class='divider'></li>
<li><a href="/settings/">Settings</a></li>
<li><a href="http://docs.openstack.org"; target="_new">Help</a></li>
<li><a href="/auth/logout/">Sign Out</a></li>
</ul>
</div>
<img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
</div>
2014/9/12 517
TOC
</div>
<div id='main_content'>
<div class="messages">
</div>
<div class='sidebar'>
<div>
<dl class="nav_accordion">
<dt >
<div>Project</div>
</dt>
<dd style="display:none;">
<div><h4><div>Compute</div></h4>
<ul>
<li><a href="/project/" tabindex="1" >Overview</a></li>
<li><a href="/project/instances/" tabindex="2" >Instances</a></li>
<li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
<li><a href="/project/images/" tabindex="4" >Images</a></li>
<li><a href="/project/access_and_security/" tabindex="5" >Access &amp; Security</a></li>
</ul>
</div>
<div><h4><div>Network</div></h4>
<ul>
<li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
<li><a href="/project/networks/" tabindex="2" >Networks</a></li>
<li><a href="/project/routers/" tabindex="3" >Routers</a></li>
</ul>
</div>
<div><h4><div>Orchestration</div></h4>
<ul>
<li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
</ul>
</div>
...
...
...

** Affects: horizon
     Importance: Undecided
         Status: New

** Also affects: openstack-chef
   Importance: Undecided
       Status: New

** No longer affects: ossa

** Also affects: horizon
   Importance: Undecided
       Status: New

** No longer affects: openstack-chef

** Description changed:

  Affected URL: https://Ip_address/admin/
  Entity: csrftoken (Cookie)
- Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies
- Causes: The web application stores sensitive session information in a permanent cookie (on disk)
- Recommend Fix: Avoid storing sensitive session information in permanent cookies
+ Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies.
+ 
+ Causes: The web application stores sensitive session information in a
+ permanent cookie (on disk)
+ 
+ Recommend Fix: Avoid storing sensitive session information in permanent
+ cookies
  
  Test requests and response:
  GET /admin/ HTTP/1.1
  Host: 9.5.29.52
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Referer: https://9.5.29.52/
  Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
  Connection: keep-alive
  HTTP/1.1 200 OK
  Date: Fri, 12 Sep 2014 07:52:50 GMT
  Server: Apache
  Vary: Accept-Language,Cookie,Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  Content-Language: en
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html
  Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
  Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
  <!DOCTYPE html>
  <html>
  <head>
  2014/9/12 516
  <meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
  <title>Usage Overview - Cloud Management Dashboard</title>
  <!--
  Copyright 2014 IBM Corp.
  Copyright 2014 OpenStack Foundation and others
  -->
  <link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
  <link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
  <!--
  Fix header padding issue in IE < 10
  -->
  <!--[if lt IE 10 ]>
  <style>
  .topbar {
  padding-bottom: 0px;
  }
  </style>
  <![endif]-->
  <script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
  <script type="text/javascript" charset="utf-8">
  /*
  Added so that we can append Horizon scoped JS events to
  the DOM load events without running in to the "horizon"
  name-space not currently being defined since we load the
  scripts at the bottom of the page.
  */
  var addHorizonLoadEvent = function(func) {
  var old_onload = window.onload;
  if (typeof window.onload != 'function') {
  window.onload = func;
  } else {
  window.onload = function() {
  old_onload();
  func();
  }
  }
  }
  </script>
  </head>
  <body id="" ng-app='hz'>
  <div id="container">
  <div class='topbar'>
  <!--
  Copyright 2014 IBM Corp.
  Copyright 2014 OpenStack Foundation and others
  -->
  <h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
  <div id="user_info" class="pull-right">
  <div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
  <div>admin</div>
  </div>
  <div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
  <a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
  <div>admin</div>
  </a>
  <ul id="editor_list" class="dropdown-menu">
  <li class='divider'></li>
  <li><a href="/settings/">Settings</a></li>
  <li><a href="http://docs.openstack.org"; target="_new">Help</a></li>
  <li><a href="/auth/logout/">Sign Out</a></li>
  </ul>
  </div>
  <img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
  </div>
  2014/9/12 517
  TOC
  </div>
  <div id='main_content'>
  <div class="messages">
  </div>
  <div class='sidebar'>
  <div>
  <dl class="nav_accordion">
  <dt >
  <div>Project</div>
  </dt>
  <dd style="display:none;">
  <div><h4><div>Compute</div></h4>
  <ul>
  <li><a href="/project/" tabindex="1" >Overview</a></li>
  <li><a href="/project/instances/" tabindex="2" >Instances</a></li>
  <li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
  <li><a href="/project/images/" tabindex="4" >Images</a></li>
  <li><a href="/project/access_and_security/" tabindex="5" >Access &amp; Security</a></li>
  </ul>
  </div>
  <div><h4><div>Network</div></h4>
  <ul>
  <li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
  <li><a href="/project/networks/" tabindex="2" >Networks</a></li>
  <li><a href="/project/routers/" tabindex="3" >Routers</a></li>
  </ul>
  </div>
  <div><h4><div>Orchestration</div></h4>
  <ul>
  <li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
  </ul>
  </div>
  ...
  ...
  ...

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369865

Title:
  Permanent Cookie Contains Sensitive Session Information

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Affected URL: https://Ip_address/admin/
  Entity: csrftoken (Cookie)
  Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies.

  Causes: The web application stores sensitive session information in a
  permanent cookie (on disk)

  Recommend Fix: Avoid storing sensitive session information in
  permanent cookies

  Test requests and response:
  GET /admin/ HTTP/1.1
  Host: 9.5.29.52
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Referer: https://9.5.29.52/
  Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
  Connection: keep-alive
  HTTP/1.1 200 OK
  Date: Fri, 12 Sep 2014 07:52:50 GMT
  Server: Apache
  Vary: Accept-Language,Cookie,Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  Content-Language: en
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html
  Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
  Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
  <!DOCTYPE html>
  <html>
  <head>
  2014/9/12 516
  <meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
  <title>Usage Overview - Cloud Management Dashboard</title>
  <!--
  Copyright 2014 IBM Corp.
  Copyright 2014 OpenStack Foundation and others
  -->
  <link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
  <link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
  <!--
  Fix header padding issue in IE < 10
  -->
  <!--[if lt IE 10 ]>
  <style>
  .topbar {
  padding-bottom: 0px;
  }
  </style>
  <![endif]-->
  <script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
  <script type="text/javascript" charset="utf-8">
  /*
  Added so that we can append Horizon scoped JS events to
  the DOM load events without running in to the "horizon"
  name-space not currently being defined since we load the
  scripts at the bottom of the page.
  */
  var addHorizonLoadEvent = function(func) {
  var old_onload = window.onload;
  if (typeof window.onload != 'function') {
  window.onload = func;
  } else {
  window.onload = function() {
  old_onload();
  func();
  }
  }
  }
  </script>
  </head>
  <body id="" ng-app='hz'>
  <div id="container">
  <div class='topbar'>
  <!--
  Copyright 2014 IBM Corp.
  Copyright 2014 OpenStack Foundation and others
  -->
  <h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
  <div id="user_info" class="pull-right">
  <div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
  <div>admin</div>
  </div>
  <div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
  <a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
  <div>admin</div>
  </a>
  <ul id="editor_list" class="dropdown-menu">
  <li class='divider'></li>
  <li><a href="/settings/">Settings</a></li>
  <li><a href="http://docs.openstack.org"; target="_new">Help</a></li>
  <li><a href="/auth/logout/">Sign Out</a></li>
  </ul>
  </div>
  <img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
  </div>
  2014/9/12 517
  TOC
  </div>
  <div id='main_content'>
  <div class="messages">
  </div>
  <div class='sidebar'>
  <div>
  <dl class="nav_accordion">
  <dt >
  <div>Project</div>
  </dt>
  <dd style="display:none;">
  <div><h4><div>Compute</div></h4>
  <ul>
  <li><a href="/project/" tabindex="1" >Overview</a></li>
  <li><a href="/project/instances/" tabindex="2" >Instances</a></li>
  <li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
  <li><a href="/project/images/" tabindex="4" >Images</a></li>
  <li><a href="/project/access_and_security/" tabindex="5" >Access &amp; Security</a></li>
  </ul>
  </div>
  <div><h4><div>Network</div></h4>
  <ul>
  <li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
  <li><a href="/project/networks/" tabindex="2" >Networks</a></li>
  <li><a href="/project/routers/" tabindex="3" >Routers</a></li>
  </ul>
  </div>
  <div><h4><div>Orchestration</div></h4>
  <ul>
  <li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
  </ul>
  </div>
  ...
  ...
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369865/+subscriptions


Follow ups

References