[Openstack-security] [Bug 1197459] Re: noVNC contains the session token in URL and insecurely sets the session cookie
David Ibarra
dibarra at hostgator.com
Wed Jan 28 17:43:10 UTC 2015
I just loaded up VNC and it seems to work fine for me, the
ctrl+alt+delete function works and everything.
It is a hack, but it at least protects against a MITM/XSS situation
where someone can grab the token.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1197459
Title:
noVNC contains the session token in URL and insecurely sets the
session cookie
Status in OpenStack Compute (Nova):
Opinion
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The VNC Console connection in Nova works by having the user connect to
the API which returns a URL such as:
https://example.com:443/?token=abc Where the token has a TTL which is
then used to create a session from a WebSocket. However, URL's should
not contain sensitive information such as session tokens with a TTL
since URL's can be leaked through proxy logs or other types of attacks
such as Cross-Site Scripting. Additionally, due to the session cookie
being set with JavaScript it cannot securely be set to HttpOnly nor is
it set with the Secure flag making it further susceptible to Cross-
Site Scripting attacks or leakage through a non-SSL connection. To
limit the exposure of the token being leaked through the URL the
returned token from the API should be of a one-time use and only used
as an authentication token in order to obtain a session. The session
cookie should be set by a Web Service instead of the client in order
to securely set the cookie with the HttpOnly flag to be set in
addition to setting the Secure flag.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1197459/+subscriptions
More information about the Openstack-security
mailing list