[OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858)

I confirmed/reproduced this on the volumes page when attaching to an instance. Could not reproduce on the 'network topology' page.

So sanitizing the input is not sufficient, because someone using the APIs can potentially push dangerous names directly that way. So best approach is to make sure any values coming out are not left as raw HTML.

I think this one should generate an advisory. We'll develop the fix and advisory in private, so the patches should not be pushed to gerrit for public review.

David: you should attach the proposed patches to this bug and get them reviewed using bug comments. Feel free to "subscribe" anyone from Horizon that can help so that they get access to this bug.

I think the fix already went in: https://review.openstack.org/#/c/55175/ and probably needs to be backported.

Making bug public since it was publicly fixed.
Which versions are affected by this ?

Does this only affect havana or is Grizzly affected ?

This affect Grizzly as well.

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58256

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58465

Could this one be proposed as a stable/grizzly backport ?

We also need to doublecheck with the reporter on the "Network Topology" case.

David: did you go through the code to try to catch other occurences of the same issue (API-provided names used to trigger XSS in the web UI ?)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/58820

The reporter, Chris Chapman, has been subscribed to this bug since I first opened it...

Chris, does the proposed patch also address your issue as reported with regard to javascript being executed on the "Network Topology" page?

Reviewed: https://review.openstack.org/58465
Committed: http://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70
Submitter: Jenkins
Branch: stable/havana

commit 6179f70290783e55b10bbd4b3b7ee74db3f8ef70
Author: Rob Raymond <email address hidden>
Date: Mon Nov 4 12:12:40 2013 -0700

    Fix bug by escaping strings from Nova before displaying them

    Fixes bug #1247675

    (cherry-picked from commit b8ff480)
    Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101

Note that stable/grizzly backport is blocked on bug 1255419
Could infra force push it until Tempest is fixed?

Assigned a CVE for this issue since it's public.

Alan: If we take any "emergency" actions from an infra perspective, I'd rather see an emergency revert of all code depending on newer iso8601 (until it can be introduced in a safer manner) rather than an emergency bypass of all testing for security changes (this isn't the only one it's blocking, after all).

Kurt: Thanks! We had been holding off requesting a CVE until we had an accurate description of the actual vulnerability (since that has a tendency to evolve while patches are written and tested). If that's not necessary, I will be happy to start formally requesting them sooner and allow you to simply edit or reject them later as needed.

This should be CVE-2013-6858. I assigned CVE-2013-6406, it's a duplicate, it has been REJECT'ed

http://seclists.org/oss-sec/2013/q4/407

Proposed impact description...
-----

Title: Insufficient sanitization of Instance Name in Horizon
Reporter: Cisco PSIRT
Products: Horizon
Affects: All supported releases

Description:
Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.

+1

Scheduled advisory publication date is Wednesday, December 11, 2013 at 1500UTC.

Reviewed: https://review.openstack.org/58820
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=b14debc73132d1253220192e110f00f62ddb8bbc
Submitter: Jenkins
Branch: stable/grizzly

commit b14debc73132d1253220192e110f00f62ddb8bbc
Author: Rob Raymond <email address hidden>
Date: Mon Nov 4 12:12:40 2013 -0700

    Fix bug by escaping strings from Nova before displaying them

    Fixes bug #1247675

    (cherry-picked from commit b8ff480)
    Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101

Hi Jeremy,

I want to confirm that this issue was also fixed on the "network topology"
page as well as the "Volumes" & "Images and Snapshots" pages.

Please confirm.

Thank you,
Chris

On 12/16/13 1:56 PM, "Jeremy Stanley" <email address hidden> wrote:

>** Changed in: ossa
> Status: Fix Committed => Fix Released
>
>--
>You received this bug notification because you are subscribed to the bug
>report.
>https://bugs.launchpad.net/bugs/1247675
>
>Title:
> [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon
> (CVE-2013-6858)
>
>Status in OpenStack Dashboard (Horizon):
> Fix Released
>Status in OpenStack Dashboard (Horizon) grizzly series:
> Fix Committed
>Status in OpenStack Dashboard (Horizon) havana series:
> Fix Committed
>Status in OpenStack Security Advisories:
> Fix Released
>
>Bug description:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> My name is Chris Chapman, I am an Incident Manager with Cisco PSIRT.
>
> I would like to report the following XSS issue found in the OpenStack
> WebUI that was reported to Cisco.
>
> The details are as follows:
>
> The OpenStack web user interface is vulnerable to XSS:
>
> While launching (or editing) an instance, injecting <script> tags in
> the instance name results in the javascript being executed on the
> "Volumes" and the "Network Topology" page. This is a classic Stored
> XSS vulnerability.
>
> Recommendations:
> - - Sanitize the "Instance Name" string to prevent XSS.
> - - Sanitize all user input to prevent XSS.
> - - Consider utilizing Content Security Policy (CSP). This can be used
> to prevent inline javascript from executing & only load javascript
> files from approved domains. This would prevent XSS, even in
> scenarios where user input is not
> properly sanitized.
>
>
> Please include PSIRT-2070334443 in the subject line for all
> communications on this issue with Cisco going forward.
>
> If you can also include any case number that this issue is assigned
> that will help us track the issue.
>
> Thank you,
> Chris
>
> Chris Chapman | Incident Manager
> Cisco Product Security Incident Response Team - PSIRT
> Security Research and Operations
> Office: (949) 823-3167 | Direct: (562) 208-0043
> Email: <email address hidden>
> SIO: http://www.cisco.com/security
> PGP: 0x959B3169
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCgAGBQJSc8QQAAoJEPMPZe6VmzFpLw8H/1h2ZhqKJs6nxZDGnDpn3N2t
> 6S6vwx3UYZGG5O1TTx1wrZkkHxckAg8GzMBJa6HFXPs1Zr0o9nhuLfvdKfShQFUA
> HqWMPOFPKid2LML2FMOGAWAdQAG6YTMknZ9d8JTvHI2BhluOsjxlOa0TBNr/Gm+Z
> iwAOBmAgJqU2nWx1iomiGhUpwX2oaQuqDyaosycpVtv0gQAtYsEf7zYdRNod7kB5
> 6CGEXJ8J161Bd04dta99onFAB1swroOpOgUopUoONK4nHDxot/MojnvusDmWe2Fs
> usVLh7d6hB3eDyWpVFhbKwSW+Bkmku1Tl0asCgm1Uy9DkrY23UGZuIqKhFs5A8U=
> =gycf
> -----END PGP SIGNATURE-----
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/horizon/+bug/1247675/+subscriptions

I could not reproduce a XSS issue on the Network Topology panel. From the comment above, Dave Lyle was not able to either.

I thought perhaps in the original bug that someone created an instance on the Network Topology page that contained <script> tags and that those tags were then being executed on the Volumes page. If the fix was to sanitize the input, then that is the logical place to do this.

But the fix was to make sure that places that display the instance name, escape the string so that the browser does not interpret it but only displays it. I took a pass through to see if this happens in other places that we call marksafe. Those are the places changed in this fix.