Mirantis OpenStack

Permanent Cookie Contains Sensitive Session Information

Bug #1522850 reported by Adam Heczko on 2015-12-04

264

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	High	Paul Karikh	Mirantis OpenStack 8.0
5.1.x	Won't Fix	Medium	Unassigned	Mirantis OpenStack 5.1.1-updates
6.0.x	Won't Fix	Medium	Unassigned	Mirantis OpenStack 6.0-updates
6.1.x	Won't Fix	Medium	Unassigned	Mirantis OpenStack 6.1-updates
7.0.x	Won't Fix	Medium	MOS Maintenance	Mirantis OpenStack 7.0-updates

Bug Description

Observed on:
All Horizon implementations using Django versions prior to 1.7

Problem description:
Http session cookie (Horizon cookie) containing CSRF token is stored on disk for a long period of time.
This makes possible to perform CSRF attack on Horizon when cookie gets revealed/stolen from disk.

Upstream bug report:
https://bugs.launchpad.net/horizon/+bug/1369865

Solution proposal:
- ensure that we ship MOS with appropriate Django version >=1.7
- patch Django shipped with MOS if older version is used
- apply other CSRF preventive actions:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token
https://benjaminhorn.io/code/setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through/

See original description

Tags:

Adam Heczko (aheczko-mirantis) on 2015-12-04

Changed in mos:
milestone:	none → 8.0
importance:	Undecided → Medium
assignee:	nobody → MOS Horizon (mos-horizon)
description:	updated

Roman Podoliaka (rpodolyaka) on 2015-12-08

Changed in mos:
status:	New → Confirmed

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-12-10:

Won't Fix for 7.0-updates because of Medium importance

Timur Sufiev (tsufiev-x) on 2015-12-11

tags:

added: horizon

Timur Sufiev (tsufiev-x) on 2015-12-14

Changed in mos:
assignee:	MOS Horizon (mos-horizon) → Timur Sufiev (tsufiev-x)

Revision history for this message

Timur Sufiev (tsufiev-x) wrote on 2015-12-14:

In release 8.0 django 1.7 is used for Ubuntu, CentOS has django 1.8. So the bug is not relevant for 8.0.

Changed in mos:
status:	Confirmed → Fix Committed

Adam Heczko (aheczko-mirantis) on 2015-12-15

information type:

Private Security → Public Security

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2015-12-23:

I'd suggest to backport one line fix described here:
https://review.openstack.org/#/c/246611/

Changed in mos:
importance:	Medium → High
status:	Fix Committed → Confirmed

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-12-23: Fix proposed to openstack/horizon (openstack-ci/fuel-8.0/liberty)

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Kent Wang <email address hidden>
Review: https://review.fuel-infra.org/15475

Paul Karikh (pkarikh) on 2015-12-23

Changed in mos:
status:	Confirmed → In Progress
assignee:	Timur Sufiev (tsufiev-x) → Paul Karikh (pkarikh)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-12-23: Fix merged to openstack/horizon (openstack-ci/fuel-8.0/liberty)

Reviewed: https://review.fuel-infra.org/15475
Submitter: Pkgs Jenkins <email address hidden>
Branch: openstack-ci/fuel-8.0/liberty

Commit: 35adc081075bc32c8f590c62060798af25cd11f8
Author: Kent Wang <email address hidden>
Date: Wed Dec 23 11:31:21 2015

Change Permanent Cookie Contain Sensitive Info

Right now, the 'csrftoken' cookie is stored on disk as a permanent
cookie. There is a risk for sensitive session information (cookies)
that are persisted on disk as permanent cookies.

This fixes this issue by storing the cookies in-memory instead of
in persistent storage.

Change-Id: Ia45b09571d495d4f98b60545903af72eb0f061c2
Closes-Bug: #1522850

Timur Sufiev (tsufiev-x) on 2015-12-23

Changed in mos:
status:	In Progress → Fix Committed

Anastasia Kuznetsova (akuznetsova) on 2016-01-25

tags:

added: area-horizon
removed: horizon

Revision history for this message

Alexander Petrov (apetrov-n) wrote on 2016-02-12:

This issue was verified under Firefox browser for MOS 8.0 RC1

Steps to reproduce:
1. Login in horizon to <host>
2. cd ~/.mozilla/firefox/<profile>
3. sqlite3 cookies.sqlite
4. select * from moz_cookies where baseDomain like '<host>';
5. make sure that the record with name 'csrftoken' doesn't exist

Changed in mos:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.