yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1931558] Re: LFI vulnerability in "Create Workbook"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Takashi Kajinami <1931558@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Aug 2022 12:26:48 -0000
Reply-to: Bug 1931558 <1931558@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: python-mistralclient
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1931558

Title:
  LFI vulnerability in "Create Workbook"

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in Mistral:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in python-mistralclient:
  Fix Released

Bug description:
  Hello,
  I've found a Local File Inclusion (LFI) vulnerability in creating a workbook on OpenStack Dashboard.
  This vulnerability allows the attacker to read a sensitive file on the server like /etc/password, config file, etc. Tested version: Victoria Horizon 18.6.3
  I do not an opportunity to test the other version, but I think those versions also vulnerable.

  Steps to reproduce:
  1. Create a text file datnt78.txt with content: "/etc/passwd"
  2. Select Workflow -> Workbooks -> Create Workbook
  3. In "Definition Source" select "File" then browse datnt78.txt file then click Validate and got /etc/passwd content.

  This is the request: http://paste.openstack.org/show/806520/
  This is the response: http://paste.openstack.org/show/806521/
  Please find the sample file and POC image in the attachment.

  Thank you,
  DatNT78 at FTEL CSOC

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1931558/+subscriptions