Fuel for OpenStack

Possible XSS / clickjacking, missing headers

Bug #1637112 reported by Adam Heczko on 2016-10-27

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Invalid	High	Sergii Rizvan	Fuel for OpenStack 8.0-updates

Bug Description

Detailed bug description:

HTTP request to http://10.226.6.13:10000/login.jsp
HTTP response code was an expected 200
HTTP header 'Content-Type' was present and matched expectation

HTTP header 'Content-Security-Policy' not present
HTTP header 'X-Frame-Options' not present

Expected results:
Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

Tags:

Adam Heczko (aheczko-mirantis) on 2016-10-27

Changed in fuel:
importance:	Undecided → High
assignee:	nobody → MOS Maintenance (mos-maintenance)

Sergii Rizvan (srizvan) on 2016-10-27

Changed in fuel:
assignee:	MOS Maintenance (mos-maintenance) → Sergii Rizvan (srizvan)

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-10-27:

http://10.226.6.13:10000/login.jsp is not a Fuel endpoint. Most likely this bug report is invalid and not related to Fuel.

Changed in fuel:
status:	New → Triaged

Sergii Rizvan (srizvan) on 2016-12-02

Changed in fuel:
status:	Triaged → Invalid
milestone:	8.0-mu-4 → 8.0-updates

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.