Open Stack

Agreed, this is certainly worth fixing, and maybe even worth
backporting. I'm just questioning whether its severity is sufficient to
warrant wider communication given that exploiting it would rely on
social engineering or some other vulnerability allowing you to obtain a
user's keys or compel them to take some action through the UI/API (in
which case there are probably far easier ways to achieve the desired
outcome from your victim anyway). The line between a hardening
opportunity (D) and an impractical vulnerability (C1) is often pretty
fuzzy.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1575913

Title:
  Generate and download keypair GET endpoint allows CSRF attacks

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Requests to create (and download) nova keypairs are made as GETs. As
  such the CSRF token is not sent nor validated on these requests. This
  breaks the principle Django's CSRF middleware relies upon which is
  that requests with side effects should not cause side effects. I'm
  told there was a reason for doing this related to being able to send
  the data back to the browser, and that this may not be trivial to fix.

  Filing this as a security bug since a malicious site could fool a user
  into creating keypairs. The attacker would not gain access to the
  contents, so the impact is not as serious as it might seem at first
  glance.

  See
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions