[Horizon] Can not delete container with XSS-injected name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Medium
|
Vlad Okhrimenko | ||
6.1.x |
Won't Fix
|
Medium
|
MOS Horizon | ||
7.0.x |
Fix Released
|
Medium
|
Vlad Okhrimenko |
Bug Description
Steps:
1. Login to Horizon Dashboard as admin user.
2. Navigate to Project -> Object Store -> Containers page.
3. Create Containers with names:
3.1 '';!--"<XSS>=&{()}
3.2 <IMG SRC="javascript
3.3 <IMG SRC=javascript:
4. Try to delete these containers.
dashboard.log snippet:
ClientException: Container GET failed: http://
<139>Jun 17 10:35:09 node-1 dashboard-
Configuration:
Juno on Ubuntu 14.04.1
1 Controller+CephOSD
1 Compute+CephOSD
1 Storage+CephOSD
Ceph RadosGW for objects (Swift API), Ceph RBD for volumes and Images
Neutron with VLAN segmentation
VERSION:
feature_groups:
- mirantis
production: "docker"
release: "6.1"
openstack_
api: "1.0"
build_number: "522"
build_id: "2015-06-
nailgun_sha: "fa8dec50f3df26
python-
astute_sha: "1ea8017fe88894
fuel-library_sha: "3528dddbd0c961
fuel-ostf_sha: "8fefcf7c464937
fuelmain_sha: "42020c36d6dec9
@Kyrylo, did you check if containers are deletable with swift client via CLI?