yahoo-eng-team team mailing list archive

[Jeremy Stanley <1898465@xxxxxxxxxxxxxxxxxx>]

I've made this report public. For now the OpenStack VMT is considering
it a security hardening opportunity (class D report), so no
corresponding advisory publication is planned but fixing is still
encouraged of course: https://security.openstack.org/vmt-process.html
#incident-report-taxonomy

** Description changed:

- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2021-01-02 and will be made
- public by or on that date even if no fix is identified.
- 
  Impact:
  An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust
  
  Recommendation:
  It is recommended not to take user input and reflect to the webpage via parameter. It would a better option if these contents can be hardcoded into the codebase.
  
  Affected Parameter:
  csrf_failure
  
  POC:
  Navigate to https://SAMPLE.com/auth/login/?csrf_failure=HI,%20THE%20CONTENT%20IS%20HIJACKED%20PLEASE%20VISIT%20EVIL.COM
  
  The malicious content will get injection into the web-page.

** Information type changed from Private Security to Public

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1898465

Title:
  In Openstack Horizon component it was observed that the application is
  taking input from URL and reflecting it into the webpage

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Impact:
  An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust

  Recommendation:
  It is recommended not to take user input and reflect to the webpage via parameter. It would a better option if these contents can be hardcoded into the codebase.

  Affected Parameter:
  csrf_failure

  POC:
  Navigate to https://SAMPLE.com/auth/login/?csrf_failure=HI,%20THE%20CONTENT%20IS%20HIJACKED%20PLEASE%20VISIT%20EVIL.COM

  The malicious content will get injection into the web-page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1898465/+subscriptions