[Yahoo-eng-team] [Bug 1573479] [NEW] Users email can not delete by updating user

Public bug reported: Environment: Kilo build Steps: 1) Login using admin 2) Click Identity -> Users 3) Create a user with email address input. 4) Then edit this user to let the email para as empty which want to remove original email . 5) But after this update, the email address still exist.

[Yahoo-eng-team] [Bug 1319319] Re: The web server allows the HTTP TRACE or TRACK methods.

Hi Mark, could we disable HTTP TRACE support in our web server to avoid this security issue? ** Changed in: openstack-chef Status: Expired = New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard

[Yahoo-eng-team] [Bug 1369870] [NEW] Missing Secure Attribute in Encrypted Session (SSL) Cookie

Public bug reported: Affect URL: https://Ip_address/settings/ Risk: It may be possible to steal user and session information (cookies) that was sent during an encrypted session Causes: The web application sends non-secure cookies over SSL Recommend Fix: Add the 'Secure' attribute to all

[Yahoo-eng-team] [Bug 1369876] [NEW] Missing HttpOnly Attribute in Session Cookie

Public bug reported: Affected URL: https://Ip_address/admin/ Entity: csrftoken (Cookie) Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions

[Yahoo-eng-team] [Bug 1369878] [NEW] Hidden Directory Detected in Horizon

Public bug reported: Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site. Cause: The web server or application server are configured in an insecure way Recommend fix: Issue a 404 - Not Found response status code

[Yahoo-eng-team] [Bug 1369880] [NEW] Autocomplete HTML Attribute Not Disabled for Password Field in Horizon

Public bug reported: Risk: It maybe possible to bypass the web application's authentication mechanism. Recommend fix: Correctly set the autocomplete attribute to off Affected URL: https://Ip_address/settings/password/ https://Ip_address/auth/login/ Take the second URL's test result and

[Yahoo-eng-team] [Bug 1369865] [NEW] Permanent Cookie Contains Sensitive Session Information

Public bug reported: Affected URL: https://Ip_address/admin/ Entity: csrftoken (Cookie) Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies. Causes: The web application stores sensitive session information in a permanent cookie (on disk)

[Yahoo-eng-team] [Bug 1368040] Re: random.choice in /cinder/volume/utils.py may has potential security issue

The same method used in /nova/virt/disk/api.py: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' '0123456789./') salt = 16 * ' ' return ''.join([random.choice(salt_set) for c in salt]) -- This line has described issue def _set_passwd(username, admin_passwd, passwd_data, shadow_data): ** Also