OpenStack Dashboard (Horizon)

Login form allows autocompletion by browser

Bug #1116168 reported by Jesse Pretorius
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Jesse Pretorius
OpenStack Dashboard (Horizon) 2013.1 "grizzly"

Bug Description

The AUTOCOMPLETE attribute, which is used by web developers to indicate when web browsers should retain information relating to web forms, is not disabled on form input elements relating to passwords.

An attacker, who gains access to the computer, either locally or through some remote compromise, can capture the stored credentials. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

It is recommended that the AUTOCOMPLETE attribute on all sensitive forms should be disabled.

I have prepared a suggested patch in this pull request: https://github.com/openstack/horizon/pull/21

Revision history for this message
Thierry Carrez (ttx) wrote :

Adding PTL for comments.

While I think this definitely should be fixed as a strengthening measure, I don't think this warrants an information embargo and security advisory, as it relies on another exploit to be used.

Any chance you could submit your patch following http://wiki.openstack.org/GerritWorkflow ? If not, do you mind if someone picks it up and proposes it (with proper credit on the commit message) ?

Setting this to public since the github pull req is public.

information type: Private Security → Public Security
Jesse Pretorius (jesse-pretorius)
Changed in horizon:
assignee: nobody → Jesse Pretorius (jesse-pretorius)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21231

Changed in horizon:
status: New → In Progress
Gabriel Hurley (gabriel-hurley)
Changed in horizon:
importance: Undecided → Medium
milestone: none → grizzly-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/21231
Committed: http://github.com/openstack/horizon/commit/fea8f873ad608308445112e94c54bfdcedb86891
Submitter: Jenkins
Branch: master

commit fea8f873ad608308445112e94c54bfdcedb86891
Author: Jesse Pretorius <email address hidden>
Date: Tue Feb 5 19:28:34 2013 +0200

    Implements the autocomplete attribute on the login form

    The current login form allows the browser to automatically complete the authentication credentials based on saved values. This presents a security risk as described in bug 1116168.

    This commit adds the autocomplete attribute to the form tag for the login page to prevent this behaviour.

    Change-Id: I1b218b2db787c1581134f9bd80904c161d20b4c3
    Fixes: bug #1116168

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.