[OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473)
Bug #1308727 reported by
Jason Hullinger
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Julie Pichon | ||
Havana |
Fix Released
|
High
|
Julie Pichon | ||
Icehouse |
Fix Released
|
High
|
Julie Pichon | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
The attached yaml will result in a Cross Site Script when viewing the resources or events of an Orchestration stack in the following paths:
/project/
/project/
The A tag's href attribute does not properly URL encode the name of the resource string resulting in escaping out of the attribute and arbitrary HTML written to the page.
Related branches
CVE References
information type: | Private Security → Private |
information type: | Private → Private Security |
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
importance: | Undecided → Medium |
Changed in horizon: | |
assignee: | nobody → Julie Pichon (jpichon) |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- XSS in Horizon Heat template - resource name + XSS in Horizon Heat template - resource name (CVE-2014-3473) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- XSS in Horizon Heat template - resource name (CVE-2014-3473) + [OSSA 2014-023] XSS in Horizon Heat template - resource name + (CVE-2014-3473) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | none → juno-2 |
status: | Fix Committed → Fix Released |
tags: | removed: in-stable-icehouse |
Changed in horizon: | |
milestone: | juno-2 → 2014.2 |
To post a comment you must log in.
What additional information would you like? Are you unable to reproduce? I'm running DevStack on Ubuntu 12.04.4 LTS. Steps to reproduce:
Upload the attached template file in Orchestration- >Stacks and create a new instance. Click on the Stack Name and go to the Resources or Events tab. The HTML output is:
<a href="my_ instance" ><img src="zz" onerror= "alert( 1)">" class=" ">my_ instance" >< img src=zz onerror= alert(1) ></a>
This is due to the resource name in the attached yaml file, which I will paste here:
======
heat_template_ version: 2013-05-23
description: Simple template to deploy a single compute instance
resources: 0.3.1-x86_ 64-uec
my_instance"><img src=zz onerror=alert(1)>:
type: OS::Nova::Server
properties:
key_name: my_key
image: cirros-
flavor: m1.nano
======
Please let me know if you need further information.