OpenStack Dashboard (Horizon)

refreshing in log viewer interprets html and javascript

Bug #977944 reported by J. Daniel Schmidt on 2012-04-10

270

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Critical	Unassigned	OpenStack Dashboard (Horizon) 2012.2 "folsom"
	Essex	Fix Released	Critical	Unassigned	OpenStack Dashboard (Horizon) 2012.1.1

Bug Description

In the log viewer the refreshing mechanism does not escape the fetched log data.
This means that HTML with Javascript code gets interpreted as such and thus code can be injected in a dashboard session.

A harmless test for this is this command run inside a VM:
# echo "<b>test</b>" > /dev/ttyS0

This opens up even more creativity:
# echo "<script>alert('test foobar')</script>" > /dev/ttyS0

After loading the log you just have to wait (a few seconds) for the first refresh.

Tags:

CVE References

2012-2094

J. Daniel Schmidt (jdsn) on 2012-04-10

summary:

- refreshing in log viewer interprets html
+ refreshing in log viewer interprets html and javascript

Revision history for this message

Matthias Weckbecker (mweckbecker) wrote on 2012-04-10:

Thanks for your report, jdsn.

In other words this is a Cross-Site Scripting flaw which could be used to steal the session id of the logged in user viewing the logs.

I would recommend getting a CVE for it if this affects released products / software.

Revision history for this message

Robert Clark (robert-clark) wrote on 2012-04-10:

Lots of interesting attacks could leverage this.

Definitely needs a CVE in my opinion.

Revision history for this message

Matthias Weckbecker (mweckbecker) wrote on 2012-04-10:

Robert, I agree with you. I will take care and get us one.

Since I have found the issue I guess according to the unwritten rule I have to suggest a CRD / disclosing date. Would 2012/04/20? be acceptable?

Revision history for this message

J. Daniel Schmidt (jdsn) wrote on 2012-04-10:

fix-html-injection Edit (776 bytes, text/plain)

Proposed fix for this issue.
As this will be a CVE I attach it here rather than sending it directly to gerrit.

Revision history for this message

Russell Bryant (russellb) wrote on 2012-04-10:

Subscribed Horizon PTL to the bug.

For reference, here is the process we follow for vulnerability management in OpenStack: http://wiki.openstack.org/VulnerabilityManagement

I'd like to hold off on deciding on a CRD until we're ready to send out an advance notification of the issue. Next steps:

1) We will need a patch for both master and stable/essex. I suspect that the same patch will apply fine to both in this case.

2) The patch(es) need to be pre-approved on this bug by two members of horizon-core. Devin, can you handle that?

3) Once all of that is done, we can decide on a CRD and one of the VMT members can send out the advance notification. (I don't mind doing it.)

Revision history for this message

Devin Carlen (devcamcar) wrote on 2012-04-10:

+2 for the patch

tags:	added: essex-backport-potential
Changed in horizon:
milestone:	none → folsom-1
status:	New → Triaged
importance:	Undecided → Critical
assignee:	nobody → Nebula (nebula)

Revision history for this message

Gabriel Hurley (gabriel-hurley) wrote on 2012-04-10:

Reviewed, +2, and I'm reasonably satisified this type of problem isn't exposed similarly elsewhere at the moment.

Revision history for this message

Russell Bryant (russellb) wrote on 2012-04-10:

Thanks! Can you help clarify the scope of the vulnerability? What all is this log viewer used for? Is it just for viewing output from VM consoles? Anything more than that?

Revision history for this message

Russell Bryant (russellb) wrote on 2012-04-10:

Regarding the CRD (coordinated release date), I would normally propose a day next week. Given that a significant portion of the people responsible for getting the patch merged or updating packages will be busy at the OpenStack conference, we could do it 2 weeks out: Tuesday, April 24th. Would you consider this critical enough that we just do what it takes to get it released next week? If so, I'd say Tuesday, April 17th. I'm fine either way.

Revision history for this message

Devin Carlen (devcamcar) wrote on 2012-04-10:

#10

Hi Russel, you are correct - the log viewer allows you to tail the logs of the guest consoles.

Revision history for this message

Russell Bryant (russellb) wrote on 2012-04-10:

#11

Proposed description. Feedback welcome.

Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: J. Daniel Schmidt <email address hidden>
Products: Horizon
Affects: All versions

Description:
J. Daniel Schmidt reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.

Revision history for this message

Devin Carlen (devcamcar) wrote on 2012-04-10:

#12

This description is accurate.

Revision history for this message

Devin Carlen (devcamcar) wrote on 2012-04-10:

#13

Let's do Tuesday April 17th.

Revision history for this message

Paul McMillan (paul-mcmillan) wrote on 2012-04-11:

#14

+2 on the fix, it looks good.

Agree on the earlier release date. This is absolutely critical, since it can relatively easily be exploited to gain administrator privileges in many cases.

Revision history for this message

Russell Bryant (russellb) wrote on 2012-04-11:

#15

As requested, here is the updated description that reflects Matthias as the reporter since he originally found the issue :

Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: Matthias Weckbecker <email address hidden>
Products: Horizon
Affects: All versions

Description:
Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.

Revision history for this message

Bernhard M. Wiedemann (ubuntubmw) wrote on 2012-04-17:

#16

https://review.openstack.org/6618

visibility:

private → public

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-17: Fix proposed to horizon (stable/essex)

#17

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/6621

Revision history for this message

Russell Bryant (russellb) wrote on 2012-04-17:

#18

and for stable/essex: https://review.openstack.org/6621

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-23: Fix merged to horizon (master)

#19

Reviewed: https://review.openstack.org/6618
Committed: http://github.com/openstack/horizon/commit/ab2e27522aaeb0268fcc121bd3eff5a4485f313c
Submitter: Jenkins
Branch: master

commit ab2e27522aaeb0268fcc121bd3eff5a4485f313c
Author: J. Daniel Schmidt <email address hidden>
Date: Tue Apr 10 14:56:37 2012 +0200

html escape the console log in refresh

fixes bug 977944

Change-Id: I89089155d1083332d02ae9039898227cbab42d07

Changed in horizon:
status:	Triaged → Fix Committed

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-04-25:

#20

Essex fix is still missing. Review 6621 is blocked until 6676 is backported, and the current attempt (6727) has been abandoned by devcamcar.

Revision history for this message

Bernhard M. Wiedemann (ubuntubmw) wrote on 2012-04-25:

#21

https://review.openstack.org/6676 seems not to be the thing that needs backporting for this.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-04-25:

#22

Actually this bug needs 6621 (which is the backport of 6618)... but that needs the equivalent of *6626* (not 6676) being present in the branch before it can hit.

Revision history for this message

Devin Carlen (devcamcar) wrote on 2012-04-25:

#23

https://review.openstack.org/#/c/6727/ is proposed again