With default configuration Horizon is exposed to session-fixation attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Medium
|
Travis McPeak |
Bug Description
With the default configuration, if an attacker can obtain a sessionid value from a user, the attacker can view and perform actions as that user. This ability does not go away after the user has logged out.
To view a potential exploit:
1) Create an admin profile with access to the admin project and a non admin profile with no access to the admin project
2) Log in to Horizon as the admin, navigate to the project/instances page. Launch some vms.
3) Open up firebug and capture the sessionid value.
4) Log out of the admin user.
5) Log in as the non admin user
6) navigate to the project/instances page
7) Use firebug to past in the admin value of the session id value
8) click the project/instances link again to force a round trip.
*!* It's possible for the non admin user to view all of the admin project vms
9) In the action column choose More->Terminate Instance
*!* It's possible for the non admin user to delete an admin project vm.
Changed in ossn: | |
assignee: | nobody → Travis McPeak (travis-mcpeak) |
importance: | Undecided → Medium |
Changed in ossn: | |
status: | New → In Progress |
Changed in ossn: | |
status: | In Progress → Fix Released |
Although I've marked this as private it does seem to be a well-known issue www.pabloendres .com/horizon- and-cookies/
http://