[Openstack-security] [Bug 1369865] Re: Permanent Cookie Contains Sensitive Session Information
OpenStack Infra
1369865 at bugs.launchpad.net
Tue Dec 1 01:20:18 UTC 2015
Reviewed: https://review.openstack.org/246611
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=21a8de1d938479876f5a0277b45b58adc8fc2c86
Submitter: Jenkins
Branch: master
commit 21a8de1d938479876f5a0277b45b58adc8fc2c86
Author: Kent Wang <kent.wang at intel.com>
Date: Tue Nov 17 21:26:18 2015 +0000
Change Permanent Cookie Contain Sensitive Info
Right now, the 'csrftoken' cookie is stored on disk as a permanent
cookie. There is a risk for sensitive session information (cookies)
that are persisted on disk as permanent cookies.
This fixes this issue by storing the cookies in-memory instead of
in persistent storage.
Change-Id: Ia45b09571d495d4f98b60545903af72eb0f061c2
Closes-Bug: #1369865
** Changed in: horizon
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1369865
Title:
Permanent Cookie Contains Sensitive Session Information
Status in OpenStack Dashboard (Horizon):
Fix Committed
Bug description:
Affected URL: https://Ip_address/admin/
Entity: csrftoken (Cookie)
Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies.
Causes: The web application stores sensitive session information in a
permanent cookie (on disk)
Recommend Fix: Avoid storing sensitive session information in
permanent cookies
Test requests and response:
GET /admin/ HTTP/1.1
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://9.5.29.52/
Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 07:52:50 GMT
Server: Apache
Vary: Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
<!DOCTYPE html>
<html>
<head>
2014/9/12 516
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Usage Overview - Cloud Management Dashboard</title>
<!--
Copyright 2014 Corp.
-->
<link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="" ng-app='hz'>
<div id="container">
<div class='topbar'>
<!--
Copyright 2014 Corp.
-->
<h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
<div id="user_info" class="pull-right">
<div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
<div>admin</div>
</div>
<div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
<a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
<div>admin</div>
</a>
<ul id="editor_list" class="dropdown-menu">
<li class='divider'></li>
<li><a href="/settings/">Settings</a></li>
<li><a href="http://docs.openstack.org" target="_new">Help</a></li>
<li><a href="/auth/logout/">Sign Out</a></li>
</ul>
</div>
<img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
</div>
2014/9/12 517
TOC
</div>
<div id='main_content'>
<div class="messages">
</div>
<div class='sidebar'>
<div>
<dl class="nav_accordion">
<dt >
<div>Project</div>
</dt>
<dd style="display:none;">
<div><h4><div>Compute</div></h4>
<ul>
<li><a href="/project/" tabindex="1" >Overview</a></li>
<li><a href="/project/instances/" tabindex="2" >Instances</a></li>
<li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
<li><a href="/project/images/" tabindex="4" >Images</a></li>
<li><a href="/project/access_and_security/" tabindex="5" >Access & Security</a></li>
</ul>
</div>
<div><h4><div>Network</div></h4>
<ul>
<li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
<li><a href="/project/networks/" tabindex="2" >Networks</a></li>
<li><a href="/project/routers/" tabindex="3" >Routers</a></li>
</ul>
</div>
<div><h4><div>Orchestration</div></h4>
<ul>
<li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
</ul>
</div>
...
...
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369865/+subscriptions
More information about the Openstack-security
mailing list