Thank you for pointing out the relevant documentation. The proposed
settings seem to would address the concern. I'll have the product team
check their Django configuration.
Thank you,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1
On 6/16/13 9:02 AM, "Jeremy Stanley" <email address hidden> wrote:
Joaquin, just to confirm, had you tried following the above documented
recommendations for securing Horizon before performing your
vulnerability scan? If not, does the above setting/documentation address
your concern?
Title:
Horizon does not set Secure Attribute in cookies
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
Version: 2012.2
The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see
Hello Jeremy,
Thank you for pointing out the relevant documentation. The proposed
settings seem to would address the concern. I'll have the product team
check their Django configuration.
Thank you,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1
On 6/16/13 9:02 AM, "Jeremy Stanley" <email address hidden> wrote:
Joaquin, just to confirm, had you tried following the above documented documentation address
recommendations for securing Horizon before performing your
vulnerability scan? If not, does the above setting/
your concern?
-- /bugs.launchpad .net/bugs/ 1191051
You received this bug notification because you are subscribed to the bug
report.
https:/
Title:
Horizon does not set Secure Attribute in cookies
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
Version: 2012.2
The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see
https:/ /www.owasp. org/index. php/Testing_ for_cookies_ attributes_ %28OWASP- SM-
002%29
To manage notifications about this bug go to: /bugs.launchpad .net/horizon/ +bug/1191051/ +subscriptions
https:/