[OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Rob Raymond | ||
Grizzly |
Fix Released
|
Critical
|
Unassigned | ||
Havana |
Fix Released
|
Critical
|
Matthias Runge | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Jeremy Stanley |
Bug Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
My name is Chris Chapman, I am an Incident Manager with Cisco PSIRT.
I would like to report the following XSS issue found in the OpenStack
WebUI that was reported to Cisco.
The details are as follows:
The OpenStack web user interface is vulnerable to XSS:
While launching (or editing) an instance, injecting <script> tags in
the instance name results in the javascript being executed on the
"Volumes" and the "Network Topology" page. This is a classic Stored
XSS vulnerability.
Recommendations:
- - Sanitize the "Instance Name" string to prevent XSS.
- - Sanitize all user input to prevent XSS.
- - Consider utilizing Content Security Policy (CSP). This can be used
to prevent inline javascript from executing & only load javascript
files from approved domains. This would prevent XSS, even in
scenarios where user input is not
properly sanitized.
Please include PSIRT-2070334443 in the subject line for all
communications on this issue with Cisco going forward.
If you can also include any case number that this issue is assigned
that will help us track the issue.
Thank you,
Chris
Chris Chapman | Incident Manager
Cisco Product Security Incident Response Team - PSIRT
Security Research and Operations
Office: (949) 823-3167 | Direct: (562) 208-0043
Email: <email address hidden>
SIO: http://
PGP: 0x959B3169
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://
Comment: Using GnuPG with Thunderbird - http://
iQEcBAEBCgAGBQJ
6S6vwx3UYZGG5O1
HqWMPOFPKid2LML
iwAOBmAgJqU2nWx
6CGEXJ8J161Bd04
usVLh7d6hB3eDyW
=gycf
-----END PGP SIGNATURE-----
Changed in ossa: | |
status: | New → Incomplete |
Changed in horizon: | |
milestone: | none → icehouse-1 |
tags: | added: havana-backport-potential |
Changed in horizon: | |
assignee: | nobody → Rob Raymond (rob-raymond) |
tags: | removed: havana-backport-potential |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | Confirmed → In Progress |
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
- Persistent XSS in OpenStack Web UI for Instances (CVE-2013-6858) + [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon + (CVE-2013-6858) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | icehouse-1 → 2014.1 |
I confirmed/ reproduced this on the volumes page when attaching to an instance. Could not reproduce on the 'network topology' page.