← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1540208] Re: CSRF mechanism is not safe.

 

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1540208

Title:
  CSRF mechanism is not safe.

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  I'm using burp suite to check secure of horizon 8.0.0.0. CSRF
  mechanism   is not safe.

  I saw : csrftoken equals with csrfmidlewaretoken ==> the reques is
  valid.

  Example: Do update network's name.

  The first request: 
   - I got csrftoken and csrfmidlewaretoken: PvVPmsOEqepSWnWgJa1GKYtBxcSXMTu1
  -  network's name :  attt_net_test_129

  then I change  csrftoken and csrfmidlewaretoken to "1" ,  network 's
  name value to "attt_net_test_121"

  Final, do send request ==> Network is updated succesfuly. (attach
  file)

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1540208/+subscriptions


References