[OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)

Bug #1322197 reported by Jeremy Stanley on 2014-05-22
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
High
Julie Pichon
Havana
Undecided
Unassigned
Icehouse
Undecided
Unassigned
OpenStack Security Advisory
High
Jeremy Stanley

Bug Description

Received 2014-05-20 18:52:34 UTC via encrypted E-mail from "Craig Lorentzen (crlorent)" <email address hidden>:

Hello Jeremy,

This is Craig Lorentzen from the Product Security Incident Response Team
(PSIRT) at Cisco Systems. The purpose of this email is to disclose to
you a vulnerability that was found during testing of a Cisco Product
using OpenStack. Below please find the original discoverer's notes.
Please let us know if there is anything else you need regarding this.
Please also provide a tracking number for our records.

-----

Headline: Persistent XSS in OpenStack Havana UI for Network Name
Platforms: OpenStack Horizon
Versions: Havana
CVSS Score: 9.0
CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C
CWE Tags:

The Openstack Horizon user interface is vulnerable to XSS. The Network Name
parameter is not properly sanitized to prevent javascript injection, leading
to persistent XSS.

Steps to reproduce:

1) Create a new network. Use:

    <script>alert(1);</script>

for the network name. Disable both Subnet -> Create Subnet and Subnet Detail ->
Enable DHCP. Choose Create.

2) Select Instances -> Launch Instance. Receive alert.

Recommendations:

- Sanitize the rendering of "Network Name" string to prevent XSS.

- Consider utilizing Content Security Policy (CSP). This can be used to prevent
inline javascript from executing & only load Javascript files from approved
domains. This would prevent XSS, even in scenarios where user input is not
properly sanitized.

-----

Thank You,
Craig Lorentzen
Incident Manager
Cisco Product Security Incident Response Team
Security Research and Operations
Office: 919.574.5680
Email: <email address hidden>
SIO: http://www.cisco.com/security
PGP: 0x30A6C8ED

CVE References

Jeremy Stanley (fungi) on 2014-05-22
Changed in ossa:
status: New → Incomplete
David Lyle (david-lyle) wrote :

Tested and this is also an issue on master.

Changed in horizon:
status: New → Confirmed
importance: Undecided → High
Jeremy Stanley (fungi) wrote :

Seems we need series tasks for havana and icehouse in that case. Anyone have an idea of whether it also affects releases prior to havana and, if so, how many? Once I have that I can take a stab at drafting an impact description.

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → High
assignee: nobody → Jeremy Stanley (fungi)
Thierry Carrez (ttx) on 2014-05-27
Changed in horizon:
assignee: nobody → Julie Pichon (jpichon)

We'll be coordinating a common advisory with the bug https://bugs.launchpad.net/ossa/+bug/1308727

Thierry Carrez (ttx) on 2014-05-29
Changed in ossa:
status: Confirmed → Triaged
Jeremy Stanley (fungi) wrote :

The reporter also followed up via a second encrypted E-mail to suggest that this may be related to the network topology XSS mentioned (but unreproduced) in prior bug 1247675.

summary: - Persistent XSS in OpenStack Havana UI for Network Name
+ Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)
Thierry Carrez (ttx) on 2014-06-09
Changed in ossa:
status: Triaged → In Progress

The question is here, if it's desirable to be able to name a network like an html tag:
<your name here>
or if we should scrub those ambersamps at all.

A proposal to sanitize names and to escape js is in the patch.

Matthias Runge (mrunge) wrote :
Julie Pichon (jpichon) wrote :

At the moment we're tracking the fixes for the 3 XSS vulnerabilities in bug 1308727, maybe this can be added to it? Comments/feedback welcome either way, thank you!

Disclosure date is set to:
2014-07-08, 1500UTC

Changed in ossa:
status: In Progress → Fix Committed
information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/105476

Changed in horizon:
status: Confirmed → In Progress
summary: - Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474)
+ [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name
+ (CVE-2014-3474)

Reviewed: https://review.openstack.org/105476
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=de4466d88b816437fb29eff5ab23b9b964cd3985
Submitter: Jenkins
Branch: master

commit de4466d88b816437fb29eff5ab23b9b964cd3985
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

Changed in horizon:
status: In Progress → Fix Committed
Changed in ossa:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/105477
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=32a7b713468161282f2ea01d5e2faff980d924cd
Submitter: Jenkins
Branch: stable/icehouse

commit 32a7b713468161282f2ea01d5e2faff980d924cd
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

tags: added: in-stable-icehouse

Reviewed: https://review.openstack.org/105478
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=c844bd692894353c60b320005b804970605e910f
Submitter: Jenkins
Branch: stable/havana

commit c844bd692894353c60b320005b804970605e910f
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Conflicts:
     horizon/tables/base.py
     openstack_dashboard/dashboards/admin/users/tables.py

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

tags: added: in-stable-havana
Changed in horizon:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in horizon:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers