yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1489415] Re: Cross-site Request Forgery token is static throughout the application

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Mon, 05 Oct 2015 14:28:19 -0000
Reply-to: Bug 1489415 <1489415@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Switched to public and set "won't fix" for the security advisory task
since this behavior is by design.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1489415

Title:
  Cross-site Request Forgery token is static throughout the application

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Description:
  It was observed the application is setting cookie on every request but the parameters like session id, csrf token, etc were static.

  Affected URL :
  Throughout the application

  The functionality allowed by the website can be performed by an
  attacker utilizing CSRF. Attackers can easily forge a series of
  requests by using multiple tags or possibly JavaScript and force the
  victim to perform undesired functions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1489415/+subscriptions