Switched to public and set "won't fix" for the security advisory task
since this behavior is by design.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1489415
Title:
Cross-site Request Forgery token is static throughout the application
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Description:
It was observed the application is setting cookie on every request but the
parameters like session id, csrf token, etc were static.
Affected URL :
Throughout the application
The functionality allowed by the website can be performed by an
attacker utilizing CSRF. Attackers can easily forge a series of
requests by using multiple tags or possibly JavaScript and force the
victim to perform undesired functions.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1489415/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
