[Openstack-security] [Bug 1417762] Re: XSS in network create error reporting
David Lyle
dklyle0 at gmail.com
Wed Sep 16 12:16:34 UTC 2015
** Changed in: horizon
Milestone: liberty-rc1 => next
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1417762
Title:
XSS in network create error reporting
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The error reporting in Horizon for creating a new network is
susceptible to a Cross-Site Scripting vulnerability. Example
request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img
src=zz
onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction":
{"net_profile_id": ["Select a valid choice. <img src=zz
onerror=alert(1)> is not one of the available choices."]}},
"workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json
response contains the user input and Horizon echo's it out. Although
it would be difficult to exploit this vulnerability because an
attacker would need to manipulate the hidden HTML net_profile_id
parameter or the POST body, Horizon should still HTML encode the
output.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1417762/+subscriptions
More information about the Openstack-security
mailing list