yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1587806] Re: XSS in kibana elasticsearch proxy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dobroslaw Zybort <dobroslaw.zybort@xxxxxxxxxxxxxx>
Date: Wed, 01 Jun 2016 12:42:16 -0000
Reply-to: Bug 1587806 <1587806@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Project changed: horizon => monasca

** Changed in: monasca
     Assignee: (unassigned) => Dobroslaw Zybort (dobroslaw-zybort)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1587806

Title:
  XSS in kibana elasticsearch proxy

Status in Monasca:
  New

Bug description:
  Detailed bug description:
  There is XSS in kibana elasticsearch proxy

  Problem does not exists on Chrome/Chromium (50.0.2661.102 Ubuntu 16.04
  (64-bit)) but is observable on Firefox (46.0.1).

  Steps to reproduce:
  1. Login the OpenStack dashboard.
  2. Rewrite the URL string of the browser's address bar like below:

    new URL:
      <IP address>/dashboard/monitoring/logs_proxy/elasticsearch/*/_field_stats?level=<script>alert(1155)</script>

  3. Press the enter key.

  Expected results:
  HTML control characters, JavaScript and so on are properly escaped or rejected.

  Actual result:
  JavaScript is executed on the error page and a message box is shown.

  Reproducibility:
  100%

  [Variations]
  The following parameters for 'level' may cause similar issues.
  AppScan detected these issues.

    - level=indices<iframe%20src=javascript:alert(10088)%20
    - level=indices'"/><script>alert(10081)</script>
    - level=indices%27%22%2F%3E%3Cscript%3Ealert%2810083%29%3C%2Fscript%3E
    - level=indices%27%22%2F%3E%3Ciframe+src%3Djavascript%3Aalert%2810088%29+
    - level=indices%27%22%2F%3E%3Ciframe+src%3Djavascript%3Aalert%2810089%29%3E
    - level=indices%27%22%2F%3E%3Cimg+src%3Djavascript%3Aalert%2810093%29+
    - level=indices%27%22%2F%3E%3Cimg+src%3Djavascript%3Aalert%2810094%29%3E
    - level=indices<script>alert(10081)</script>
    - level=indices<script>alert(10083)</script>
    - level=indices<iframe%20src=javascript:alert(10089)>
    - level=indices<img%20src=javascript:alert(10093)%20
    - level=indices<img%20src=javascript:alert(10094)>

To manage notifications about this bug go to:
https://bugs.launchpad.net/monasca/+bug/1587806/+subscriptions