[openstack-dev] [OSSN-0073] Horizon dashboard leaks internal information through cookies

Luke Hinds lhinds at redhat.com
Thu Sep 8 20:38:17 UTC 2016

Horizon dashboard leaks internal information through cookies

### Summary ###
When horizon is configured, its URL contains the IP address of
the internal URL of keystone, as the default value for the identity
service is "internalURL".[1]

The cookie "login_region" will be set to the value configured as
OPENSTACK_KEYSTONE_URL, given in the local_settings.py file.

Usually, the OPENSTACK_KEYSTONE_URL is the publicURL, and hence the
cookie URL will also be the public one. If set to internal URL (by
default), then the login cookie URL will be the internal URL or IP. So,
by putting the OPENSTACK_KEYSTONE_URL in the cookie that is sent to
the public network, horizon leaks the values of the internal network IP

### Affected Services and Software ###

### Discussion ###
This is not a bug in horizon, but a possible misconfiguration issue.

Exposing the internal URL is not a bug, since one can view the internal
URL as it's a freely accessible endpoint to authorized users, or it's
hidden behind a firewall. Also, the data for internal URLs are freely
available in the catalog and the catalog is not considered private

### Contacts / References ###
Author: Khanak Nangia, Intel
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831
Related bug : https://bugs.launchpad.net/horizon/+bug/1597864
OpenStack Security ML : openstack-dev at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
[1]: http://docs.openstack.org/developer/horizon/topics/settings.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x3C202614.asc
Type: application/pgp-keys
Size: 1698 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160908/5b20f38f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160908/5b20f38f/attachment.pgp>

More information about the OpenStack-dev mailing list