[OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)

Bug #1322197 reported by Jeremy Stanley
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Julie Pichon
Havana
Fix Released
Undecided
Unassigned
Icehouse
Fix Released
Undecided
Unassigned
OpenStack Security Advisory
Fix Released
High
Jeremy Stanley

Bug Description

Received 2014-05-20 18:52:34 UTC via encrypted E-mail from "Craig Lorentzen (crlorent)" <email address hidden>:

Hello Jeremy,

This is Craig Lorentzen from the Product Security Incident Response Team
(PSIRT) at Cisco Systems. The purpose of this email is to disclose to
you a vulnerability that was found during testing of a Cisco Product
using OpenStack. Below please find the original discoverer's notes.
Please let us know if there is anything else you need regarding this.
Please also provide a tracking number for our records.

-----

Headline: Persistent XSS in OpenStack Havana UI for Network Name
Platforms: OpenStack Horizon
Versions: Havana
CVSS Score: 9.0
CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C
CWE Tags:

The Openstack Horizon user interface is vulnerable to XSS. The Network Name
parameter is not properly sanitized to prevent javascript injection, leading
to persistent XSS.

Steps to reproduce:

1) Create a new network. Use:

    <script>alert(1);</script>

for the network name. Disable both Subnet -> Create Subnet and Subnet Detail ->
Enable DHCP. Choose Create.

2) Select Instances -> Launch Instance. Receive alert.

Recommendations:

- Sanitize the rendering of "Network Name" string to prevent XSS.

- Consider utilizing Content Security Policy (CSP). This can be used to prevent
inline javascript from executing & only load Javascript files from approved
domains. This would prevent XSS, even in scenarios where user input is not
properly sanitized.

-----

Thank You,
Craig Lorentzen
Incident Manager
Cisco Product Security Incident Response Team
Security Research and Operations
Office: 919.574.5680
Email: <email address hidden>
SIO: http://www.cisco.com/security
PGP: 0x30A6C8ED

CVE References

Jeremy Stanley (fungi)
Changed in ossa:
status: New → Incomplete
Revision history for this message
David Lyle (david-lyle) wrote :

Tested and this is also an issue on master.

Changed in horizon:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Jeremy Stanley (fungi) wrote :

Seems we need series tasks for havana and icehouse in that case. Anyone have an idea of whether it also affects releases prior to havana and, if so, how many? Once I have that I can take a stab at drafting an impact description.

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → High
assignee: nobody → Jeremy Stanley (fungi)
Thierry Carrez (ttx)
Changed in horizon:
assignee: nobody → Julie Pichon (jpichon)
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

We'll be coordinating a common advisory with the bug https://bugs.launchpad.net/ossa/+bug/1308727

Thierry Carrez (ttx)
Changed in ossa:
status: Confirmed → Triaged
Revision history for this message
Jeremy Stanley (fungi) wrote :

The reporter also followed up via a second encrypted E-mail to suggest that this may be related to the network topology XSS mentioned (but unreproduced) in prior bug 1247675.

summary: - Persistent XSS in OpenStack Havana UI for Network Name
+ Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)
Thierry Carrez (ttx)
Changed in ossa:
status: Triaged → In Progress
Revision history for this message
Matthias Runge (mrunge) wrote : Re: Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)

The question is here, if it's desirable to be able to name a network like an html tag:
<your name here>
or if we should scrub those ambersamps at all.

A proposal to sanitize names and to escape js is in the patch.

Revision history for this message
Matthias Runge (mrunge) wrote :
Revision history for this message
Julie Pichon (jpichon) wrote :

At the moment we're tracking the fixes for the 3 XSS vulnerabilities in bug 1308727, maybe this can be added to it? Comments/feedback welcome either way, thank you!

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Disclosure date is set to:
2014-07-08, 1500UTC

Changed in ossa:
status: In Progress → Fix Committed
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/105476

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/105477

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/105478

summary: - Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)
+ [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name
+ (CVE-2014-3474)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/105476
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=de4466d88b816437fb29eff5ab23b9b964cd3985
Submitter: Jenkins
Branch: master

commit de4466d88b816437fb29eff5ab23b9b964cd3985
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

Changed in horizon:
status: In Progress → Fix Committed
Changed in ossa:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/icehouse)

Reviewed: https://review.openstack.org/105477
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=32a7b713468161282f2ea01d5e2faff980d924cd
Submitter: Jenkins
Branch: stable/icehouse

commit 32a7b713468161282f2ea01d5e2faff980d924cd
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

tags: added: in-stable-icehouse
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/havana)

Reviewed: https://review.openstack.org/105478
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=c844bd692894353c60b320005b804970605e910f
Submitter: Jenkins
Branch: stable/havana

commit c844bd692894353c60b320005b804970605e910f
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Conflicts:
     horizon/tables/base.py
     openstack_dashboard/dashboards/admin/users/tables.py

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

tags: added: in-stable-havana
Changed in horizon:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.