[Openstack-security] [Bug 1289033] Re: [OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157)

Alan Pevec 1289033 at bugs.launchpad.net
Mon Sep 22 21:49:32 UTC 2014 

** Changed in: horizon/havana
    Milestone: None => 2013.2.4

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1289033

Title:
  [OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157)

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Dashboard (Horizon) havana series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  *Description*
  XSS vulnerability identified in Horizon-Orchestration while uploading a stack template.
  Arbitrary Javascript code may be introduced via the "Description" fields of Heat templates; such code was found to be executed by Horizon.

  *Threat Description*
  -Potential Adversaries: malicious Heat templates owners/malicious Heat templates catalogs.
  -Potential Assets: horizon user/admin access credentials (session cookies/CSRF tokens), VMs/Network configuration/management, tenants confidential informartion, etc.
  -Potential Threats: Malicious Heat template owner/catalog makes an Horizon user to utilize a malicious template, which once introduced in Horizon obtains user access credentials and send them back to the attacker. 

  *Environment*
  One node with Devstack over Ubuntu13.10, latest Icehouse code, Firefox web browser and the following OpenStack configuration:
  shell, key, horizon, g-reg, g-api, n-api, n-cpu, n-cond, n-crt, n-net, n-sch, n-novnc, n-xvnc, n-cauth, n-obj, c-api, c-sch, c-vol, ceilometer-acompute, ceilometer-acentral, ceilometer-collector, ceilometer-api, ceilometer-alarm-notifier, ceilometer-alarm-evaluator, h-eng, h-api, h-api-cfn, h-api-cw  

  *Steps to reproduce*
  1- Sign-in to Horizon and click on Orchestration/Stack section.
  2- Click on "Launch Stack"
  3- Select "Direct input", and copy-paste into "Template data" the contents of some template (I have used: 
  https://github.com/openstack/heat-templates/blob/master/cfn/F17/AutoScalingMultiAZSample.template)
  4- Update the contents of the DBUsername "Description" field with the following:
     "DBUsername": {
  	...
        "Description" : "<script>alert('XSS!!!')</script>",
  	...
      },
  5- Click on Next
  6- Being on the Launch Stack form, click on DBUsername text box as if you were going to modify its value.
  7- A pop-up saying "XSS!!!" will appear, confirming the XSS vulnerability.

  *How to fix*
  - Perform input validation for "Description" fields in templates (need to take into account all template input methods: upload from URL, upload from file, direct input).
  - Perform output sanitization when displaying template's "Description" messages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1289033/+subscriptions

More information about the Openstack-security mailing list