[Openstack-security] [Bug 1575913] Re: Generate and download keypair GET endpoint allows CSRF attacks
Jeremy Stanley
fungi at yuggoth.org
Mon Nov 28 16:55:54 UTC 2016
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
Requests to create (and download) nova keypairs are made as GETs. As
such the CSRF token is not sent nor validated on these requests. This
breaks the principle Django's CSRF middleware relies upon which is that
requests with side effects should not cause side effects. I'm told there
was a reason for doing this related to being able to send the data back
to the browser, and that this may not be trivial to fix.
Filing this as a security bug since a malicious site could fool a user
into creating keypairs. The attacker would not gain access to the
contents, so the impact is not as serious as it might seem at first
glance.
See
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1575913
Title:
Generate and download keypair GET endpoint allows CSRF attacks
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Requests to create (and download) nova keypairs are made as GETs. As
such the CSRF token is not sent nor validated on these requests. This
breaks the principle Django's CSRF middleware relies upon which is
that requests with side effects should not cause side effects. I'm
told there was a reason for doing this related to being able to send
the data back to the browser, and that this may not be trivial to fix.
Filing this as a security bug since a malicious site could fool a user
into creating keypairs. The attacker would not gain access to the
contents, so the impact is not as serious as it might seem at first
glance.
See
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions
More information about the Openstack-security
mailing list