Reviewed: https://review.openstack.org/86054 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=1b0106e2804a45e641433c4bd459e6bed85521c3 Submitter: Jenkins Branch: milestone-proposed
commit 1b0106e2804a45e641433c4bd459e6bed85521c3 Author: CristianFiorentino <[email protected]> Date: Mon Mar 10 17:36:31 2014 -0300 Introduces escaping in Horizon/Orchestration 1) Escape help_text a second time to avoid bootstrap tooltip XSS issue The "Description" parameter in a Heat template is used to populate a help_text tooltip in the dynamically generated Heat form. Bootstrap inserts this tooltip into the DOM using .html() which undoes any escaping we do in Django (it should be using .text()). This was fixed by forcing the help_text content to be escaped a second time. The issue itself is mitigated in bootstrap.js release 2.0.3 (ours is currently 2.0.1). 2) Properly escape untrusted Heat template 'outputs' The 'outputs' parameter in a Heat template was included in a Django template with HTML autoescaping turned off. Malicious HTML content could be included in a Heat template and would be rendered by Horizon when details about a created stack were displayed. This was fixed by not disabling autoescaping and explicitly escaping untrusted values in any strings that are later marked "safe" to render without further escaping. Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001 Closes-Bug: #1289033 Co-Authored-By: Kieran Spear <[email protected]> ** Changed in: horizon Status: Fix Committed => Fix Released ** Changed in: horizon/havana Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1289033 Title: [OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157) Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Dashboard (Horizon) havana series: Fix Committed Status in OpenStack Security Advisories: Fix Committed Bug description: *Description* XSS vulnerability identified in Horizon-Orchestration while uploading a stack template. Arbitrary Javascript code may be introduced via the "Description" fields of Heat templates; such code was found to be executed by Horizon. *Threat Description* -Potential Adversaries: malicious Heat templates owners/malicious Heat templates catalogs. -Potential Assets: horizon user/admin access credentials (session cookies/CSRF tokens), VMs/Network configuration/management, tenants confidential informartion, etc. -Potential Threats: Malicious Heat template owner/catalog makes an Horizon user to utilize a malicious template, which once introduced in Horizon obtains user access credentials and send them back to the attacker. *Environment* One node with Devstack over Ubuntu13.10, latest Icehouse code, Firefox web browser and the following OpenStack configuration: shell, key, horizon, g-reg, g-api, n-api, n-cpu, n-cond, n-crt, n-net, n-sch, n-novnc, n-xvnc, n-cauth, n-obj, c-api, c-sch, c-vol, ceilometer-acompute, ceilometer-acentral, ceilometer-collector, ceilometer-api, ceilometer-alarm-notifier, ceilometer-alarm-evaluator, h-eng, h-api, h-api-cfn, h-api-cw *Steps to reproduce* 1- Sign-in to Horizon and click on Orchestration/Stack section. 2- Click on "Launch Stack" 3- Select "Direct input", and copy-paste into "Template data" the contents of some template (I have used: https://github.com/openstack/heat-templates/blob/master/cfn/F17/AutoScalingMultiAZSample.template) 4- Update the contents of the DBUsername "Description" field with the following: "DBUsername": { ... "Description" : "<script>alert('XSS!!!')</script>", ... }, 5- Click on Next 6- Being on the Launch Stack form, click on DBUsername text box as if you were going to modify its value. 7- A pop-up saying "XSS!!!" will appear, confirming the XSS vulnerability. *How to fix* - Perform input validation for "Description" fields in templates (need to take into account all template input methods: upload from URL, upload from file, direct input). - Perform output sanitization when displaying template's "Description" messages. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1289033/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
