[OSSA 2014-027] Persistent XSS in the Host Aggregates interface (CVE-2014-3594)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Medium
|
Julie Pichon | ||
Havana |
Fix Released
|
Medium
|
Julie Pichon | ||
Icehouse |
Fix Released
|
Medium
|
Julie Pichon | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
Received 2014-07-28 18:08:47 +0200 via encrypted E-mail from "Dennis Felsch <email address hidden>":
Hi everyone,
We spotted an issue with Horizon in OpenStack Icehouse and the current
development version of Juno (older versions not tested):
The interface for Host Aggregates is vulnerable to persistent XSS.
Steps to reproduce the issue:
* Log into Horizon as admin
* Go to "Host Aggregates"
* Create a new host aggregate
* Enter some name and an availability zone like this: <svg onload=alert(1)>
* Save
* See alert pop up
Because we are researchers, we are happy to help you, whenever we can.
However, from the research point of view, it would be really nice to get
some acknowledgment on your site about this issue. Is something
like this possible?
The people working on this are:
Dennis Felsch (me), <email address hidden>
Mario Heiderich, <email address hidden>
Please let me know if you need more info.
Greetings,
Dennis
Related branches
CVE References
Changed in ossa: | |
status: | New → Incomplete |
importance: | Undecided → High |
Changed in ossa: | |
status: | Incomplete → Confirmed |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
summary: |
- Persistent XSS in the Host Aggregates interface + Persistent XSS in the Host Aggregates interface (CVE-2014-3594) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- Persistent XSS in the Host Aggregates interface (CVE-2014-3594) + [OSSA 2014-027] Persistent XSS in the Host Aggregates interface + (CVE-2014-3594) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | juno-3 → 2014.2 |
Thank you for the bug report. I just reproduced on the master branch.
This is happening for the AZ name in the metadata column. This is caused by horizon using the 'unordered_list' django filter outside the context of a template, causing autoescaping not to be switched on and the input not to be sanitised. A quick check suggests this is the only file in the codebase where we're using this filter.
With regard to the impact, I think it is limited because only admins are allowed to create host aggregates and availability zones.
As indicated in the description Icehouse is likely affected too. The aggregates panel didn't exist in Havana. In Havana though, the 'unordered_list' filter was used when displaying availability zones in the System Info admin panel (read-only from the dashboard at the time). I'll test and backport the fix there too just to be safe.