yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1717542] [NEW] Possible client side template injection in horizon login screen

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Martin Ivanov <1717542@xxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Sep 2017 15:44:17 -0000
Reply-to: Bug 1717542 <1717542@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

We got indication from security auditing scan, that login page (/dashboard/auth/login)
is still vulnerable for below problem, reported on Horizon/ocata, version 10.0.0.0.

Seems same as below bug, just it didn't fix the issue for the login screen.
https://bugs.launchpad.net/horizon/+bug/1567673

More information for he problem:
AngularJS client-side template injection vulnerability.


http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

This web application is vulnerable to AngularJS client-side template
injection vulnerability. AngularJS client-side template injection
vulnerabilities occur when user-input is dynamically embedded on a page
where AngularJS client-side templating is used.  By using curly braces
it's possible to inject AngularJS expressions in the AngularJS client-
side template that is being used by the application.These expressions
will be evaluated on the client-side by AngularJS and when combined with
a sandbox escape they allow an attacker to execute arbitrary JavaScript
code.

An attacker can inject AngularJS expressions that will be evaluated on
the client-side. Normally AngularJS expressions are not very dangerous,
but when combined with a sandbox escape they allow an attacker to
execute arbitrary JavaScript code.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1717542

Title:
   Possible client side template injection in horizon login screen

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  We got indication from security auditing scan, that login page (/dashboard/auth/login)
  is still vulnerable for below problem, reported on Horizon/ocata, version 10.0.0.0.

  Seems same as below bug, just it didn't fix the issue for the login screen.
  https://bugs.launchpad.net/horizon/+bug/1567673

  More information for he problem:
  AngularJS client-side template injection vulnerability.

  
  http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

  This web application is vulnerable to AngularJS client-side template
  injection vulnerability. AngularJS client-side template injection
  vulnerabilities occur when user-input is dynamically embedded on a
  page where AngularJS client-side templating is used.  By using curly
  braces it's possible to inject AngularJS expressions in the AngularJS
  client-side template that is being used by the application.These
  expressions will be evaluated on the client-side by AngularJS and when
  combined with a sandbox escape they allow an attacker to execute
  arbitrary JavaScript code.

  An attacker can inject AngularJS expressions that will be evaluated on
  the client-side. Normally AngularJS expressions are not very
  dangerous, but when combined with a sandbox escape they allow an
  attacker to execute arbitrary JavaScript code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1717542/+subscriptions

Follow ups

[Bug 1717542] Re: Possible client side template injection in horizon login screen
From: Gary W. Smith, 2017-09-15