I expect your assumption that the Django configuration has not been set is
accurate. I've asked the product team to confirm, but have not received a
reply from them yet. I'm following up with them again, and should be able
to confirm this for you later today.
Thanks,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1
On 6/20/13 9:13 AM, "Jeremy Stanley" <email address hidden> wrote:
Yes, I was hoping Joaquin might report back with confirmation that the
recommended Django configuration option in our documentation had not
actually been set in that environment during the original scans, and
that enabling it did fix this issue as intended. Given however that this
is the documented means of ensuring secure cookies, it seems safe to
assume it works and make the bug report public (probably also invalid in
Horizon or redirected to suggest increased visibility in the
documentation).
Title:
Horizon does not set Secure Attribute in cookies
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
Version: 2012.2
The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see
Hello Jeremy,
I expect your assumption that the Django configuration has not been set is
accurate. I've asked the product team to confirm, but have not received a
reply from them yet. I'm following up with them again, and should be able
to confirm this for you later today.
Thanks,
--
Joaquin Berrios
PSIRT Incident Manager
Cisco Systems Inc.
e-mail: <email address hidden>
Work Phone: 512-378-1321
Cell Phone: 512-576-0697
PGP: 0x45F5AEA1
On 6/20/13 9:13 AM, "Jeremy Stanley" <email address hidden> wrote:
Yes, I was hoping Joaquin might report back with confirmation that the
recommended Django configuration option in our documentation had not
actually been set in that environment during the original scans, and
that enabling it did fix this issue as intended. Given however that this
is the documented means of ensuring secure cookies, it seems safe to
assume it works and make the bug report public (probably also invalid in
Horizon or redirected to suggest increased visibility in the
documentation).
-- /bugs.launchpad .net/bugs/ 1191051
You received this bug notification because you are subscribed to the bug
report.
https:/
Title:
Horizon does not set Secure Attribute in cookies
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
Version: 2012.2
The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in
stolen sessions, as it is trivial to force the browser to make unencrypted
requests. For more information see
https:/ /www.owasp. org/index. php/Testing_ for_cookies_ attributes_ %28OWASP- SM-
002%29
To manage notifications about this bug go to: /bugs.launchpad .net/horizon/ +bug/1191051/ +subscriptions
https:/