yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1931558] Re: LFI vulnerability in "Create Workbook"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1931558@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Aug 2022 10:02:21 -0000
Reply-to: Bug 1931558 <1931558@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/mistral-dashboard/+/800952
Committed: https://opendev.org/openstack/mistral-dashboard/commit/8b876b0b22b365f24af1eb9eae01ad3d22cc1533
Submitter: "Zuul (22348)"
Branch:    master

commit 8b876b0b22b365f24af1eb9eae01ad3d22cc1533
Author: Takashi Kajinami <tkajinam@xxxxxxxxxx>
Date:   Thu Jul 15 23:13:21 2021 +0900

    Enforce usage of raw definitions
    
    This change ensures that any definitions passed is treated as raw
    contents. With this change mistral-dashboard no longer tries to load
    contents based on file path or uri passed in by users, and this
    prohibits access to any local files or any internal contents accessible
    without authentication.
    
    Depends-on: https://review.opendev.org/800950
    Closes-Bug: #1931558
    Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc


** Changed in: mistral
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1931558

Title:
  LFI vulnerability in "Create Workbook"

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in Mistral:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in python-mistralclient:
  New

Bug description:
  Hello,
  I've found a Local File Inclusion (LFI) vulnerability in creating a workbook on OpenStack Dashboard.
  This vulnerability allows the attacker to read a sensitive file on the server like /etc/password, config file, etc. Tested version: Victoria Horizon 18.6.3
  I do not an opportunity to test the other version, but I think those versions also vulnerable.

  Steps to reproduce:
  1. Create a text file datnt78.txt with content: "/etc/passwd"
  2. Select Workflow -> Workbooks -> Create Workbook
  3. In "Definition Source" select "File" then browse datnt78.txt file then click Validate and got /etc/passwd content.

  This is the request: http://paste.openstack.org/show/806520/
  This is the response: http://paste.openstack.org/show/806521/
  Please find the sample file and POC image in the attachment.

  Thank you,
  DatNT78 at FTEL CSOC

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1931558/+subscriptions