Public bug reported:
Environment: Kilo build
Steps:
1) Login using admin
2) Click Identity -> Users
3) Create a user with email address input.
4) Then edit this user to let the email para as empty which want to remove
original email .
5) But after this update, the email address still exist.
Hi Mark, could we disable HTTP TRACE support in our web server to avoid
this security issue?
** Changed in: openstack-chef
Status: Expired = New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard
Public bug reported:
Affect URL: https://Ip_address/settings/
Risk: It may be possible to steal user and session information (cookies)
that was sent during an encrypted session
Causes: The web application sends non-secure cookies over SSL
Recommend Fix: Add the 'Secure' attribute to all
Public bug reported:
Affected URL: https://Ip_address/admin/
Entity: csrftoken (Cookie)
Risk: It is possible to steal or manipulate customer session and cookies, which
might be used to impersonate a legitimate user, allowing the hacker to view or
alter user records, and to perform transactions
Public bug reported:
Risk: It is possible to retrieve information about the site's file system
structure, which may help the attacker to map the web site.
Cause: The web server or application server are configured in an insecure way
Recommend fix: Issue a 404 - Not Found response status code
Public bug reported:
Risk: It maybe possible to bypass the web application's authentication
mechanism.
Recommend fix: Correctly set the autocomplete attribute to off
Affected URL: https://Ip_address/settings/password/
https://Ip_address/auth/login/
Take the second URL's test result and
Public bug reported:
Affected URL: https://Ip_address/admin/
Entity: csrftoken (Cookie)
Risk: It may be possible to steal session information (cookies) that was kept
on disk as permanent cookies.
Causes: The web application stores sensitive session information in a
permanent cookie (on disk)
The same method used in /nova/virt/disk/api.py:
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
'0123456789./')
salt = 16 * ' '
return ''.join([random.choice(salt_set) for c in salt]) -- This
line has described issue
def _set_passwd(username, admin_passwd, passwd_data, shadow_data):
** Also
8 matches
Mail list logo