[OSSA 2014-023] Stored XSS for /admin/users/ (CVE-2014-3475)

Bug #1320235 reported by michael xin on 2014-05-16
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
High
Julie Pichon
Havana
High
Julie Pichon
Icehouse
High
Julie Pichon
OpenStack Security Advisory
Medium
Tristan Cacqueray

Bug Description

The /admin/users/ page does not output encode users' email addresses correctly. Since there is no user input validation for the users' email address during creation process. It is possible to inject script tag into the email address. This is a stored cross site scripting issue.

The issue can be abused to hijack user's session and implant malware, etc.

For example, attached is a screen copy of Horizon for users with stored XSS in action.

CVE References

michael xin (jqxin2006) wrote :

The OSSA task is incomplete pending additional details from security reviewers. Also I marked 1320233 as a duplicate of this one.

Changed in ossa:
status: New → Incomplete
Thierry Carrez (ttx) wrote :

Looks valid to me at first glance... Malicious user could specify crafted email address which then would XSS the admin... Waiting on horizon-coresec to confirm, though.

Julie Pichon (jpichon) wrote :

I can reproduce the problem and Horizon should be escaping the data. Havana and possibly previous versions are also affected.

With regard to the security impact, I think it depends on whether one is using an external system to manage users or has modified the default Keystone permissions. If I understand correctly, by default the Keystone policy doesn't allow users to modify their own email. User creation and update appear to require admin rights ("You are not authorized to perform the requested action, admin_required. (HTTP 403)").

In itself, the problem is due to the use of the "urlize" filter to make the email address clickable. urlize expects the data to already be escaped. It looks like the filter is used in 2 places across the codebase, for users and groups management. I'll propose a fix.

Changed in horizon:
status: New → Confirmed
assignee: nobody → Julie Pichon (jpichon)
Julie Pichon (jpichon) wrote :

I'm attaching a patch that applies cleanly on both master and Icehouse and was tested in both environments.

Julie Pichon (jpichon) wrote :

Adding the Havana version of the patch (minor conflict), tested in devstack Havana.

Paul McMillan (paul-mcmillan) wrote :

I can confirm that Julie's patch looks good. Thanks for tracking that down.

Thierry Carrez (ttx) on 2014-05-26
Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed

@michael xin, I'm not sure what company should I credit in this OSSA, your Openstack community profile mention Rackspace, is this still correct ?

Tristan:
Thanks. Please use rackspace. Have a great day.

Michael

Sent from my iPhone

> On May 27, 2014, at 3:48 PM, Tristan Cacqueray <email address hidden> wrote:
>
> @michael xin, I'm not sure what company should I credit in this OSSA,
> your Openstack community profile mention Rackspace, is this still
> correct ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1320235
>
> Title:
> Stored XSS for /admin/users/
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisories:
> Confirmed
>
> Bug description:
> The /admin/users/ page does not output encode users' email addresses
> correctly. Since there is no user input validation for the users'
> email address during creation process. It is possible to inject script
> tag into the email address. This is a stored cross site scripting
> issue.
>
> The issue can be abused to hijack user's session and implant malware,
> etc.
>
>
> For example, attached is a screen copy of Horizon for users with stored XSS in action.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1320235/+subscriptions

Alright, thanks you!

We'll be coordinating a common advisory with the bug https://bugs.launchpad.net/ossa/+bug/1308727 (which you are now subscribed)

Thierry Carrez (ttx) on 2014-05-29
Changed in ossa:
status: Confirmed → Triaged
Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
summary: - Stored XSS for /admin/users/
+ Stored XSS for /admin/users/ (CVE-2014-3475)
Thierry Carrez (ttx) on 2014-06-09
Changed in ossa:
status: Triaged → In Progress

Disclosure date is set to:
2014-07-08, 1500UTC

Changed in ossa:
status: In Progress → Fix Committed
information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/105476

Changed in horizon:
status: Confirmed → In Progress
summary: - Stored XSS for /admin/users/ (CVE-2014-3475)
+ [OSSA 2014-023] Stored XSS for /admin/users/ (CVE-2014-3475)

Reviewed: https://review.openstack.org/105476
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=de4466d88b816437fb29eff5ab23b9b964cd3985
Submitter: Jenkins
Branch: master

commit de4466d88b816437fb29eff5ab23b9b964cd3985
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

Changed in horizon:
status: In Progress → Fix Committed
Changed in ossa:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/105477
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=32a7b713468161282f2ea01d5e2faff980d924cd
Submitter: Jenkins
Branch: stable/icehouse

commit 32a7b713468161282f2ea01d5e2faff980d924cd
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

tags: added: in-stable-icehouse

Reviewed: https://review.openstack.org/105478
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=c844bd692894353c60b320005b804970605e910f
Submitter: Jenkins
Branch: stable/havana

commit c844bd692894353c60b320005b804970605e910f
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Conflicts:
     horizon/tables/base.py
     openstack_dashboard/dashboards/admin/users/tables.py

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

tags: added: in-stable-havana
Changed in horizon:
milestone: none → juno-2
status: Fix Committed → Fix Released
Alan Pevec (apevec) on 2014-08-07
tags: removed: in-stable-havana in-stable-icehouse
Alan Pevec (apevec) on 2014-08-07
Changed in horizon:
importance: Undecided → High
Thierry Carrez (ttx) on 2014-10-16
Changed in horizon:
milestone: juno-2 → 2014.2
Grant Murphy (gmurphy) wrote :

Mitre looks to be splitting this into two CVE assignments. See: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8578

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers