Horizon does not set Secure Attribute in cookies

This one's a bit of a gray area... I guess the question is whether there's any reason this shouldn't be set, or should be configurable (do we support test deployments using cleartext HTTP?).

This is configurable via the Django SESSION_COOKIE_SECURE setting in Django 1.4+. We mention it in the Horizon docs (in Grizzly).

https://docs.djangoproject.com/en/dev/topics/security/#ssl-https
http://docs.openstack.org/developer/horizon/topics/deployment.html#secure-site-recommendations

Joaquin, just to confirm, had you tried following the above documented recommendations for securing Horizon before performing your vulnerability scan? If not, does the above setting/documentation address your concern?

That would classify this as an (already documented) deployment option.
Maybe could make a good OSSN to remind people about that, together with bug 1191050.

Hello Jeremy,

Thank you for pointing out the relevant documentation. The proposed
settings seem to would address the concern. I'll have the product team
check their Django configuration.

Thank you,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1

On 6/16/13 9:02 AM, "Jeremy Stanley" <email address hidden> wrote:

Joaquin, just to confirm, had you tried following the above documented
recommendations for securing Horizon before performing your
vulnerability scan? If not, does the above setting/documentation address
your concern?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1191051

Title:
  Horizon does not set Secure Attribute in cookies

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Version: 2012.2

  The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see

https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-
002%29

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191051/+subscriptions

If everyone agrees I think we should open this bug publicly and add it to the OSSN queue.

Yes, I was hoping Joaquin might report back with confirmation that the recommended Django configuration option in our documentation had not actually been set in that environment during the original scans, and that enabling it did fix this issue as intended. Given however that this is the documented means of ensuring secure cookies, it seems safe to assume it works and make the bug report public (probably also invalid in Horizon or redirected to suggest increased visibility in the documentation).

Hello Jeremy,

I expect your assumption that the Django configuration has not been set is
accurate. I've asked the product team to confirm, but have not received a
reply from them yet. I'm following up with them again, and should be able
to confirm this for you later today.

Thanks,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1

On 6/20/13 9:13 AM, "Jeremy Stanley" <email address hidden> wrote:

Yes, I was hoping Joaquin might report back with confirmation that the
recommended Django configuration option in our documentation had not
actually been set in that environment during the original scans, and
that enabling it did fix this issue as intended. Given however that this
is the documented means of ensuring secure cookies, it seems safe to
assume it works and make the bug report public (probably also invalid in
Horizon or redirected to suggest increased visibility in the
documentation).

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1191051

Title:
  Horizon does not set Secure Attribute in cookies

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Version: 2012.2

  The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see

https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-
002%29

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191051/+subscriptions

@Joaquin: any news on that ?

@Joaquin: unless we hear from you very soon we'll open this bug publicly and add it to the OSSN queue.

Would make a great "recommended Django deploy options for Horizon" OSSN together with bug 1191050

I think Bug 1191050 is actually a deployment issue rather than django, I'll go ahead and cut a django config for Horizon OSSN for this as Secure cookies should certainly be enabled. Future django-config OSSNs will link together.

Horizon does not set Secure Attribute in cookies
-----
### Summary ###
Horizon does not, by default, set the Secure Attribute in cookies

### Affected Services / Software ###
Horizon, Django

### Discussion ###
When used in production, Horizon should have the Secure Attribute for cookies set. When this flag is set, browsers will only transfer the cookie over secure channels. Without it set, browsers may transfer the cookie over plain-text channels, potentially exposing the contents to an attacker who can then use the cookie to authenticate with the Horizon server as the original user.

### Recommended Actions ###
Enable secure cookie by setting the SESSION_COOKIE_SECURE config flag to true:
https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SESSION_COOKIE_SECURE

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1191051
Related Horizon/Django OSSN : https://bugs.launchpad.net/ossn/+bug/1191050
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Posted to OpenStack ML 19-9-13