** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1289033
Title:
[OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157)
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Dashboard (Horizon) havana series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
*Description*
XSS vulnerability identified in Horizon-Orchestration while uploading a stack
template.
Arbitrary Javascript code may be introduced via the "Description" fields of
Heat templates; such code was found to be executed by Horizon.
*Threat Description*
-Potential Adversaries: malicious Heat templates owners/malicious Heat
templates catalogs.
-Potential Assets: horizon user/admin access credentials (session
cookies/CSRF tokens), VMs/Network configuration/management, tenants
confidential informartion, etc.
-Potential Threats: Malicious Heat template owner/catalog makes an Horizon
user to utilize a malicious template, which once introduced in Horizon obtains
user access credentials and send them back to the attacker.
*Environment*
One node with Devstack over Ubuntu13.10, latest Icehouse code, Firefox web
browser and the following OpenStack configuration:
shell, key, horizon, g-reg, g-api, n-api, n-cpu, n-cond, n-crt, n-net, n-sch,
n-novnc, n-xvnc, n-cauth, n-obj, c-api, c-sch, c-vol, ceilometer-acompute,
ceilometer-acentral, ceilometer-collector, ceilometer-api,
ceilometer-alarm-notifier, ceilometer-alarm-evaluator, h-eng, h-api, h-api-cfn,
h-api-cw
*Steps to reproduce*
1- Sign-in to Horizon and click on Orchestration/Stack section.
2- Click on "Launch Stack"
3- Select "Direct input", and copy-paste into "Template data" the contents of
some template (I have used:
https://github.com/openstack/heat-templates/blob/master/cfn/F17/AutoScalingMultiAZSample.template)
4- Update the contents of the DBUsername "Description" field with the
following:
"DBUsername": {
...
"Description" : "<script>alert('XSS!!!')</script>",
...
},
5- Click on Next
6- Being on the Launch Stack form, click on DBUsername text box as if you
were going to modify its value.
7- A pop-up saying "XSS!!!" will appear, confirming the XSS vulnerability.
*How to fix*
- Perform input validation for "Description" fields in templates (need to
take into account all template input methods: upload from URL, upload from
file, direct input).
- Perform output sanitization when displaying template's "Description"
messages.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1289033/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
