yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1477432] Re: Swift object Cross Site Scripting (XSS) attack

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Mon, 17 Aug 2015 15:26:49 -0000
Reply-to: Bug 1477432 <1477432@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1463698 ***
    https://bugs.launchpad.net/bugs/1463698

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** This bug has been marked a duplicate of bug 1463698
   XSS

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- 
  Browser open *.http objects instead of download them.
  
  XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content
  Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
  
  Affected URL:
  /horizon/project/containers/
  
  Fix: browser should download but not open *.http objects

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1477432

Title:
  Swift object Cross Site Scripting (XSS) attack

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Browser open *.http objects instead of download them.

  XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content
  Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

  Affected URL:
  /horizon/project/containers/

  Fix: browser should download but not open *.http objects

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1477432/+subscriptions