yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1417762] Re: XSS in network create error reporting

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Mon, 09 Mar 2015 14:12:34 -0000
Reply-to: Bug 1417762 <1417762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Agreed on class D for this report, and since nobody has objected I've
switched it to public, tagged as a security hardening opportunity and
switched the advisory task to "won't fix."

** Information type changed from Private Security to Public

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1417762

Title:
  XSS in network create error reporting

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  ---

  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added as to
  the bug as attachments.

  ---

  The error reporting in Horizon for creating a new network is
  susceptible to a Cross-Site Scripting vulnerability. Example
  request/response:

  Request

  POST /project/networks/create HTTP/1.1
  ...

  csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img
  src=zz
  onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=

  Response

  HTTP/1.1 200 OK
  Date: Tue, 03 Feb 2015 20:42:28 GMT
  Server: Apache/2.4.10 (Debian)
  Vary: Accept-Language,Cookie
  X-Frame-Options: SAMEORIGIN
  Content-Language: en
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/json
  Content-Length: 209

  {"has_errors": true, "errors": {"createnetworkinfoaction":
  {"net_profile_id": ["Select a valid choice. <img src=zz
  onerror=alert(1)> is not one of the available choices."]}},
  "workflow_slug": "create_network"}

  In the above example if the net_profile_id does not exist, the json
  response contains the user input and Horizon echo's it out. Although
  it would be difficult to exploit this vulnerability because an
  attacker would need to manipulate the hidden HTML net_profile_id
  parameter or the POST body, Horizon should still HTML encode the
  output.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1417762/+subscriptions