OpenStack Dashboard (Horizon)

  1. Bug #1191051
  2. Comment #5

Comment 5 for bug 1191051

Revision history for this message
Joaquin Berrios (joberrio) wrote : Re: [Bug 1191051] Re: Horizon does not set Secure Attribute in cookies

Hello Jeremy,

Thank you for pointing out the relevant documentation. The proposed
settings seem to would address the concern. I'll have the product team
check their Django configuration.

Thank you,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1

On 6/16/13 9:02 AM, "Jeremy Stanley" <email address hidden> wrote:

Joaquin, just to confirm, had you tried following the above documented
recommendations for securing Horizon before performing your
vulnerability scan? If not, does the above setting/documentation address
your concern?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1191051

Title:
  Horizon does not set Secure Attribute in cookies

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Version: 2012.2

  The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see

https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-
002%29

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191051/+subscriptions