[OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858)

Bug #1247675 reported by Jeremy Stanley on 2013-11-03
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Critical
Rob Raymond
Grizzly
Critical
Sascha Peilicke
Havana
Critical
Matthias Runge
OpenStack Security Advisory
Medium
Jeremy Stanley

Bug Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

My name is Chris Chapman, I am an Incident Manager with Cisco PSIRT.

I would like to report the following XSS issue found in the OpenStack
WebUI that was reported to Cisco.

The details are as follows:

The OpenStack web user interface is vulnerable to XSS:

While launching (or editing) an instance, injecting <script> tags in
the instance name results in the javascript being executed on the
"Volumes" and the "Network Topology" page. This is a classic Stored
XSS vulnerability.

Recommendations:
- - Sanitize the "Instance Name" string to prevent XSS.
- - Sanitize all user input to prevent XSS.
- - Consider utilizing Content Security Policy (CSP). This can be used
to prevent inline javascript from executing & only load javascript
files from approved domains. This would prevent XSS, even in
scenarios where user input is not
properly sanitized.

Please include PSIRT-2070334443 in the subject line for all
communications on this issue with Cisco going forward.

If you can also include any case number that this issue is assigned
that will help us track the issue.

Thank you,
Chris

Chris Chapman | Incident Manager
Cisco Product Security Incident Response Team - PSIRT
Security Research and Operations
Office: (949) 823-3167 | Direct: (562) 208-0043
Email: <email address hidden>
SIO: http://www.cisco.com/security
PGP: 0x959B3169
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJSc8QQAAoJEPMPZe6VmzFpLw8H/1h2ZhqKJs6nxZDGnDpn3N2t
6S6vwx3UYZGG5O1TTx1wrZkkHxckAg8GzMBJa6HFXPs1Zr0o9nhuLfvdKfShQFUA
HqWMPOFPKid2LML2FMOGAWAdQAG6YTMknZ9d8JTvHI2BhluOsjxlOa0TBNr/Gm+Z
iwAOBmAgJqU2nWx1iomiGhUpwX2oaQuqDyaosycpVtv0gQAtYsEf7zYdRNod7kB5
6CGEXJ8J161Bd04dta99onFAB1swroOpOgUopUoONK4nHDxot/MojnvusDmWe2Fs
usVLh7d6hB3eDyWpVFhbKwSW+Bkmku1Tl0asCgm1Uy9DkrY23UGZuIqKhFs5A8U=
=gycf
-----END PGP SIGNATURE-----

Jeremy Stanley (fungi) on 2013-11-03
Changed in ossa:
status: New → Incomplete
David Lyle (david-lyle) wrote :

I confirmed/reproduced this on the volumes page when attaching to an instance. Could not reproduce on the 'network topology' page.

Changed in horizon:
status: New → Triaged
importance: Undecided → High
importance: High → Critical
David Lyle (david-lyle) wrote :

So sanitizing the input is not sufficient, because someone using the APIs can potentially push dangerous names directly that way. So best approach is to make sure any values coming out are not left as raw HTML.

David Lyle (david-lyle) on 2013-11-04
Changed in horizon:
milestone: none → icehouse-1
Thierry Carrez (ttx) wrote :

I think this one should generate an advisory. We'll develop the fix and advisory in private, so the patches should not be pushed to gerrit for public review.

David: you should attach the proposed patches to this bug and get them reviewed using bug comments. Feel free to "subscribe" anyone from Horizon that can help so that they get access to this bug.

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Medium
Julie Pichon (jpichon) wrote :

I think the fix already went in: https://review.openstack.org/#/c/55175/ and probably needs to be backported.

Thierry Carrez (ttx) wrote :

Making bug public since it was publicly fixed.
Which versions are affected by this ?

information type: Private Security → Public Security
Changed in horizon:
status: Triaged → Fix Committed
Matthias Runge (mrunge) on 2013-11-19
tags: added: havana-backport-potential
David Lyle (david-lyle) on 2013-11-19
Changed in horizon:
assignee: nobody → Rob Raymond (rob-raymond)
Thierry Carrez (ttx) wrote :

Does this only affect havana or is Grizzly affected ?

David Lyle (david-lyle) wrote :

This affect Grizzly as well.

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58465

Could this one be proposed as a stable/grizzly backport ?

We also need to doublecheck with the reporter on the "Network Topology" case.

David: did you go through the code to try to catch other occurences of the same issue (API-provided names used to trigger XSS in the web UI ?)

The reporter, Chris Chapman, has been subscribed to this bug since I first opened it...

Chris, does the proposed patch also address your issue as reported with regard to javascript being executed on the "Network Topology" page?

Reviewed: https://review.openstack.org/58465
Committed: http://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70
Submitter: Jenkins
Branch: stable/havana

commit 6179f70290783e55b10bbd4b3b7ee74db3f8ef70
Author: Rob Raymond <email address hidden>
Date: Mon Nov 4 12:12:40 2013 -0700

    Fix bug by escaping strings from Nova before displaying them

    Fixes bug #1247675

    (cherry-picked from commit b8ff480)
    Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101

Note that stable/grizzly backport is blocked on bug 1255419
Could infra force push it until Tempest is fixed?

Kurt Seifried (kseifried) wrote :

Assigned a CVE for this issue since it's public.

Jeremy Stanley (fungi) wrote :

Alan: If we take any "emergency" actions from an infra perspective, I'd rather see an emergency revert of all code depending on newer iso8601 (until it can be introduced in a safer manner) rather than an emergency bypass of all testing for security changes (this isn't the only one it's blocking, after all).

Kurt: Thanks! We had been holding off requesting a CVE until we had an accurate description of the actual vulnerability (since that has a tendency to evolve while patches are written and tested). If that's not necessary, I will be happy to start formally requesting them sooner and allow you to simply edit or reject them later as needed.

summary: - Persistent XSS in OpenStack Web UI for Instances
+ Persistent XSS in OpenStack Web UI for Instances (CVE-2013-6406)
Akihiro Motoki (amotoki) on 2013-12-03
tags: removed: havana-backport-potential

This should be CVE-2013-6858. I assigned CVE-2013-6406, it's a duplicate, it has been REJECT'ed

http://seclists.org/oss-sec/2013/q4/407

summary: - Persistent XSS in OpenStack Web UI for Instances (CVE-2013-6406)
+ Persistent XSS in OpenStack Web UI for Instances (CVE-2013-6858)
Thierry Carrez (ttx) on 2013-12-04
Changed in horizon:
status: Fix Committed → Fix Released
Jeremy Stanley (fungi) on 2013-12-05
Changed in ossa:
assignee: nobody → Jeremy Stanley (fungi)

Proposed impact description...
-----

Title: Insufficient sanitization of Instance Name in Horizon
Reporter: Cisco PSIRT
Products: Horizon
Affects: All supported releases

Description:
Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.

Jeremy Stanley (fungi) on 2013-12-06
Changed in ossa:
status: Confirmed → In Progress
Grant Murphy (gmurphy) wrote :

+1

Jeremy Stanley (fungi) on 2013-12-06
Changed in ossa:
status: In Progress → Fix Committed
Jeremy Stanley (fungi) wrote :

Scheduled advisory publication date is Wednesday, December 11, 2013 at 1500UTC.

Jeremy Stanley (fungi) on 2013-12-11
summary: - Persistent XSS in OpenStack Web UI for Instances (CVE-2013-6858)
+ [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon
+ (CVE-2013-6858)

Reviewed: https://review.openstack.org/58820
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=b14debc73132d1253220192e110f00f62ddb8bbc
Submitter: Jenkins
Branch: stable/grizzly

commit b14debc73132d1253220192e110f00f62ddb8bbc
Author: Rob Raymond <email address hidden>
Date: Mon Nov 4 12:12:40 2013 -0700

    Fix bug by escaping strings from Nova before displaying them

    Fixes bug #1247675

    (cherry-picked from commit b8ff480)
    Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101

Jeremy Stanley (fungi) on 2013-12-16
Changed in ossa:
status: Fix Committed → Fix Released

Hi Jeremy,

I want to confirm that this issue was also fixed on the "network topology"
page as well as the "Volumes" & "Images and Snapshots" pages.

Please confirm.

Thank you,
Chris

On 12/16/13 1:56 PM, "Jeremy Stanley" <email address hidden> wrote:

>** Changed in: ossa
> Status: Fix Committed => Fix Released
>
>--
>You received this bug notification because you are subscribed to the bug
>report.
>https://bugs.launchpad.net/bugs/1247675
>
>Title:
> [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon
> (CVE-2013-6858)
>
>Status in OpenStack Dashboard (Horizon):
> Fix Released
>Status in OpenStack Dashboard (Horizon) grizzly series:
> Fix Committed
>Status in OpenStack Dashboard (Horizon) havana series:
> Fix Committed
>Status in OpenStack Security Advisories:
> Fix Released
>
>Bug description:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> My name is Chris Chapman, I am an Incident Manager with Cisco PSIRT.
>
> I would like to report the following XSS issue found in the OpenStack
> WebUI that was reported to Cisco.
>
> The details are as follows:
>
> The OpenStack web user interface is vulnerable to XSS:
>
> While launching (or editing) an instance, injecting <script> tags in
> the instance name results in the javascript being executed on the
> "Volumes" and the "Network Topology" page. This is a classic Stored
> XSS vulnerability.
>
> Recommendations:
> - - Sanitize the "Instance Name" string to prevent XSS.
> - - Sanitize all user input to prevent XSS.
> - - Consider utilizing Content Security Policy (CSP). This can be used
> to prevent inline javascript from executing & only load javascript
> files from approved domains. This would prevent XSS, even in
> scenarios where user input is not
> properly sanitized.
>
>
> Please include PSIRT-2070334443 in the subject line for all
> communications on this issue with Cisco going forward.
>
> If you can also include any case number that this issue is assigned
> that will help us track the issue.
>
> Thank you,
> Chris
>
> Chris Chapman | Incident Manager
> Cisco Product Security Incident Response Team - PSIRT
> Security Research and Operations
> Office: (949) 823-3167 | Direct: (562) 208-0043
> Email: <email address hidden>
> SIO: http://www.cisco.com/security
> PGP: 0x959B3169
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCgAGBQJSc8QQAAoJEPMPZe6VmzFpLw8H/1h2ZhqKJs6nxZDGnDpn3N2t
> 6S6vwx3UYZGG5O1TTx1wrZkkHxckAg8GzMBJa6HFXPs1Zr0o9nhuLfvdKfShQFUA
> HqWMPOFPKid2LML2FMOGAWAdQAG6YTMknZ9d8JTvHI2BhluOsjxlOa0TBNr/Gm+Z
> iwAOBmAgJqU2nWx1iomiGhUpwX2oaQuqDyaosycpVtv0gQAtYsEf7zYdRNod7kB5
> 6CGEXJ8J161Bd04dta99onFAB1swroOpOgUopUoONK4nHDxot/MojnvusDmWe2Fs
> usVLh7d6hB3eDyWpVFhbKwSW+Bkmku1Tl0asCgm1Uy9DkrY23UGZuIqKhFs5A8U=
> =gycf
> -----END PGP SIGNATURE-----
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/horizon/+bug/1247675/+subscriptions

Rob Raymond (rob-raymond) wrote :

I could not reproduce a XSS issue on the Network Topology panel. From the comment above, Dave Lyle was not able to either.

I thought perhaps in the original bug that someone created an instance on the Network Topology page that contained <script> tags and that those tags were then being executed on the Volumes page. If the fix was to sanitize the input, then that is the logical place to do this.

But the fix was to make sure that places that display the instance name, escape the string so that the browser does not interpret it but only displays it. I took a pass through to see if this happens in other places that we call marksafe. Those are the places changed in this fix.

Thierry Carrez (ttx) on 2014-04-17
Changed in horizon:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers