Thanks for the feedback everyone. We'll classify it as a security
hardening opportunity in that case, no advisory needed.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1842749
Title:
CSV Injection Possible in Compute Usage History
Status in OpenStack Dashboard (Horizon):
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Many spreadsheet programs, such as Excel, LibreOffice, and OpenOffice, will
parse and treat cells with special metacharacters as formulas. These programs
can open comma-separated values (CSV) files and treat them as spreadsheets. If
an attacker can influence the contents
of CSV file, then that can allow the attacker to inject code that will
execute when someone opens the CSV file through a spreadsheet program.
In the Compute Overview panel in Horizon, there is a section titled “Usage
Summary.” This section has a feature for downloading a CSV document of that
usage summary. The contents of the CSV document include the name of the
instances and other points of data such as its current state or how many
resources it consumes.
An attacker could create an instance with a malicious name beginning with an
equals sign (=) or at sign (‘@’). These are both recognized in Excel as
metacharacters for a formula. The attacker can create an instance name that
includes a payload that will execute code such as:
=cmd|' /C calc'!A0
This payload opens the calculator program when the resulting CSV is
opened on a Windows machine with Microsoft Excel. An attacker could
easily substitute this payload with another that runs any arbitrary
shell commands.
Reproduction Steps:
1. Access an OpenStack project, navigate to the Instances section.
2. Create an instance with the following name:
=cmd|' /C calc'!A0
3. Navigate to the Overview section.
4. Refresh the page until the new instance shows up in the Usage list.
5. Click the button titled “DOWNLOAD CSV SUMMARY.”
6. Observe the generated CSV file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1842749/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
