[Openstack-security] [Bug 1289033] Fix merged to horizon (stable/havana)
OpenStack Infra
1289033 at bugs.launchpad.net
Tue Apr 8 18:57:28 UTC 2014
Reviewed: https://review.openstack.org/86056
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=54ec015f720a4379e8ffc34345b3a7bf36b6f15b
Submitter: Jenkins
Branch: stable/havana
commit 54ec015f720a4379e8ffc34345b3a7bf36b6f15b
Author: CristianFiorentino <cristian.fiorentino at intel.com>
Date: Mon Mar 10 17:36:31 2014 -0300
Introduces escaping in Horizon/Orchestration
1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
The "Description" parameter in a Heat template is used to populate
a help_text tooltip in the dynamically generated Heat form. Bootstrap
inserts this tooltip into the DOM using .html() which undoes any
escaping we do in Django (it should be using .text()).
This was fixed by forcing the help_text content to be escaped a second
time. The issue itself is mitigated in bootstrap.js release 2.0.3
(ours is currently 2.0.1).
2) Properly escape untrusted Heat template 'outputs'
The 'outputs' parameter in a Heat template was included in a Django
template with HTML autoescaping turned off. Malicious HTML content
could be included in a Heat template and would be rendered by Horizon
when details about a created stack were displayed.
This was fixed by not disabling autoescaping and explicitly escaping
untrusted values in any strings that are later marked "safe" to render
without further escaping.
Conflicts:
openstack_dashboard/dashboards/project/stacks/mappings.py
Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
Closes-Bug: #1289033
Co-Authored-By: Kieran Spear <kispear at gmail.com>
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1289033
Title:
[OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157)
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Dashboard (Horizon) havana series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Committed
Bug description:
*Description*
XSS vulnerability identified in Horizon-Orchestration while uploading a stack template.
Arbitrary Javascript code may be introduced via the "Description" fields of Heat templates; such code was found to be executed by Horizon.
*Threat Description*
-Potential Adversaries: malicious Heat templates owners/malicious Heat templates catalogs.
-Potential Assets: horizon user/admin access credentials (session cookies/CSRF tokens), VMs/Network configuration/management, tenants confidential informartion, etc.
-Potential Threats: Malicious Heat template owner/catalog makes an Horizon user to utilize a malicious template, which once introduced in Horizon obtains user access credentials and send them back to the attacker.
*Environment*
One node with Devstack over Ubuntu13.10, latest Icehouse code, Firefox web browser and the following OpenStack configuration:
shell, key, horizon, g-reg, g-api, n-api, n-cpu, n-cond, n-crt, n-net, n-sch, n-novnc, n-xvnc, n-cauth, n-obj, c-api, c-sch, c-vol, ceilometer-acompute, ceilometer-acentral, ceilometer-collector, ceilometer-api, ceilometer-alarm-notifier, ceilometer-alarm-evaluator, h-eng, h-api, h-api-cfn, h-api-cw
*Steps to reproduce*
1- Sign-in to Horizon and click on Orchestration/Stack section.
2- Click on "Launch Stack"
3- Select "Direct input", and copy-paste into "Template data" the contents of some template (I have used:
https://github.com/openstack/heat-templates/blob/master/cfn/F17/AutoScalingMultiAZSample.template)
4- Update the contents of the DBUsername "Description" field with the following:
"DBUsername": {
...
"Description" : "<script>alert('XSS!!!')</script>",
...
},
5- Click on Next
6- Being on the Launch Stack form, click on DBUsername text box as if you were going to modify its value.
7- A pop-up saying "XSS!!!" will appear, confirming the XSS vulnerability.
*How to fix*
- Perform input validation for "Description" fields in templates (need to take into account all template input methods: upload from URL, upload from file, direct input).
- Perform output sanitization when displaying template's "Description" messages.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1289033/+subscriptions
More information about the Openstack-security
mailing list