[Openstack-security] [Bug 1575913] Re: Generate and download keypair GET endpoint allows CSRF attacks

Robert Clark 1575913 at bugs.launchpad.net
Tue Nov 29 12:41:29 UTC 2016 

Im put of the office so attempting to reply by email on phone.

A concern is that in the attack described, new keypairs could be created
that would later used in a social engineering attack. Naming keys certain
ways might encourage their use in future or as part of a more complex
attack scenario.

On 28 Nov 2016 17:15, "Jeremy Stanley" <fungi at yuggoth.org> wrote:

> ** Description changed:
>
> - This issue is being treated as a potential security risk under embargo.
> - Please do not make any public mention of embargoed (private) security
> - vulnerabilities before their coordinated publication by the OpenStack
> - Vulnerability Management Team in the form of an official OpenStack
> - Security Advisory. This includes discussion of the bug or associated
> - fixes in public forums such as mailing lists, code review systems and
> - bug trackers. Please also avoid private disclosure to other individuals
> - not already approved for access to this information, and provide this
> - same reminder to those who are made aware of the issue prior to
> - publication. All discussion should remain confined to this private bug
> - report, and any proposed fixes should be added to the bug as
> - attachments.
> -
>   Requests to create (and download) nova keypairs are made as GETs. As
>   such the CSRF token is not sent nor validated on these requests. This
>   breaks the principle Django's CSRF middleware relies upon which is that
>   requests with side effects should not cause side effects. I'm told there
>   was a reason for doing this related to being able to send the data back
>   to the browser, and that this may not be trivial to fix.
>
>   Filing this as a security bug since a malicious site could fool a user
>   into creating keypairs. The attacker would not gain access to the
>   contents, so the impact is not as serious as it might seem at first
>   glance.
>
>   See
>   https://github.com/openstack/horizon/blob/master/openstack_
> dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
>
> ** Changed in: ossa
>        Status: Incomplete => Won't Fix
>
> ** Information type changed from Private Security to Public
>
> ** Tags added: security
>
> --
> You received this bug notification because you are a member of OSSG
> CoreSec, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1575913
>
> Title:
>   Generate and download keypair GET endpoint allows CSRF attacks
>
> Status in OpenStack Dashboard (Horizon):
>   New
> Status in OpenStack Security Advisory:
>   Won't Fix
>
> Bug description:
>   Requests to create (and download) nova keypairs are made as GETs. As
>   such the CSRF token is not sent nor validated on these requests. This
>   breaks the principle Django's CSRF middleware relies upon which is
>   that requests with side effects should not cause side effects. I'm
>   told there was a reason for doing this related to being able to send
>   the data back to the browser, and that this may not be trivial to fix.
>
>   Filing this as a security bug since a malicious site could fool a user
>   into creating keypairs. The attacker would not gain access to the
>   contents, so the impact is not as serious as it might seem at first
>   glance.
>
>   See
>   https://github.com/openstack/horizon/blob/master/openstack_
> dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions
>

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1575913

Title:
  Generate and download keypair GET endpoint allows CSRF attacks

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Requests to create (and download) nova keypairs are made as GETs. As
  such the CSRF token is not sent nor validated on these requests. This
  breaks the principle Django's CSRF middleware relies upon which is
  that requests with side effects should not cause side effects. I'm
  told there was a reason for doing this related to being able to send
  the data back to the browser, and that this may not be trivial to fix.

  Filing this as a security bug since a malicious site could fool a user
  into creating keypairs. The attacker would not gain access to the
  contents, so the impact is not as serious as it might seem at first
  glance.

  See
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions

More information about the Openstack-security mailing list