yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1585831] [NEW] Horizon dashboard leaks internal information through cookies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dave McCowan <dmccowan@xxxxxxxxx>
Date: Wed, 25 May 2016 23:39:04 -0000
Reply-to: Bug 1585831 <1585831@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When horizon is configured where:
1) internalURL and publicURL are on different networks
2) horizon uses the internalURL endpoint for authentication

The cookie "login_region" will be set to the value configured as
OPENSTACK_KEYSTONE_URL.

This URL contains the IP address of the internalURL of keystone.

In the case of a deployment where the internal network is different than
the public network, the IP address of the internal network is considered
sensitive information.  By putting the OPENSTACK_KEYSTONE_URL in the
cookie that is sent to the public network, horizon leaks the values of
the internal network IP addresses.

** Affects: horizon
     Importance: Undecided
         Status: New

** Affects: ossn
     Importance: Undecided
         Status: New

** Also affects: ossn
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1585831

Title:
  Horizon dashboard leaks internal information through cookies

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Notes:
  New

Bug description:
  When horizon is configured where:
  1) internalURL and publicURL are on different networks
  2) horizon uses the internalURL endpoint for authentication

  The cookie "login_region" will be set to the value configured as
  OPENSTACK_KEYSTONE_URL.

  This URL contains the IP address of the internalURL of keystone.

  In the case of a deployment where the internal network is different
  than the public network, the IP address of the internal network is
  considered sensitive information.  By putting the
  OPENSTACK_KEYSTONE_URL in the cookie that is sent to the public
  network, horizon leaks the values of the internal network IP
  addresses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1585831/+subscriptions

Follow ups

[Bug 1585831] Re: Horizon dashboard leaks internal information through cookies
From: Luke Hinds, 2016-09-08
[Bug 1585831] Re: Horizon dashboard leaks internal information through cookies
From: David Lyle, 2016-08-17