yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1898465] Re: In Openstack Horizon component it was observed that the application is taking input from URL and reflecting it into the webpage

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1898465@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Oct 2020 19:58:50 -0000
Reply-to: Bug 1898465 <1898465@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/757122
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=8a963626e12ee25cf2f9ab29c172b16f5bbce4c9
Submitter: Zuul
Branch:    master

commit 8a963626e12ee25cf2f9ab29c172b16f5bbce4c9
Author: Ivan Kolodyazhny <e0ne@xxxxxxxxx>
Date:   Fri Oct 9 17:58:32 2020 +0300

    Added validation for csrf_failure GET argument
    
    During csrf_failure argument validation horizon drops unknown messages
    so nobody can't inject any message to login view.
    
    Change-Id: I78a7592562a6249629f4d236ca59eb83d9094123
    Closes-Bug: #1898465


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1898465

Title:
  In Openstack Horizon component it was observed that the application is
  taking input from URL and reflecting it into the webpage

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Impact:
  An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust

  Recommendation:
  It is recommended not to take user input and reflect to the webpage via parameter. It would a better option if these contents can be hardcoded into the codebase.

  Affected Parameter:
  csrf_failure

  POC:
  Navigate to https://SAMPLE.com/auth/login/?csrf_failure=HI,%20THE%20CONTENT%20IS%20HIJACKED%20PLEASE%20VISIT%20EVIL.COM

  The malicious content will get injection into the web-page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1898465/+subscriptions