[OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428)

Bug #1567673 reported by Brandon Sawyers
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Critical
Tristan Cacqueray
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

I'm working through my groups process to deploy a new web app so that we can provide openstack in our production environment. Part of that process is having an authenticated security scan done by Acunetix.

I've attached a screenshot of the report for the alert received during the scan.

Unfortunately I'm not a dev, so I'm not sure if this is a false alarm or not.

Quick research found the following link which talks about the issue in general: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

Any input would be greatly appreciated.

Thanks!
Brandon

CVE References

Revision history for this message
Brandon Sawyers (brandor5) wrote :
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@Horizon-coresec, were you able to reproduce ?

@brandon, what version of openstack are you testing ?

Revision history for this message
Brandon Sawyers (brandor5) wrote :

@Tristan, I'm using RDO Liberty...package version is openstack-dashboard-8.0.0-1.el7.noarch.

Revision history for this message
Brandon Sawyers (brandor5) wrote :

Any updates on this?

Thanks. :)

Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

added Richard to get some core that worked on angular in the bug

Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

I can confirm that Horizon is vulnerable to this exploit, since Django is involved in generating all top-level HTML, and that will always include templating in user-supplied data which is not sanitised for angularjs safety.

To reproduce, create a new Image with the Description set to:

 {$
    "a".constructor.prototype.charAt=[].join;
    $eval("x=alert(1)")+""
 $}

Even though you receive an error, the value is templated back into the form by Django to be returned to the user, and the alert will pop up. A few times.

Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

I believe the following code, added to the top of settings.py in Horizon, will blanket fix this issue.
 import django.utils.html

 def escape(text, existing=django.utils.html.escape):
    # replace our angular markup string with a different string
    # (just happens to be the Django comment string)
    return existing(text).replace('{$', '{%').replace('$}', '%}')

 django.utils.html.escape = escape

I have not done a thorough analysis of whether this is further exploitable, though I believe it is not. I am not sure whether it will damage any data in OpenStack (I don't know whether "{$" and "$}" are valid values of data anywhere in OpenStack).

Changed in horizon:
status: New → Confirmed
Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

I think the only place that could suffer from the blanket replacement is heat templates, and "{$" and "$}" are not part of that syntax.

The only change I'd make to the above patch therefore is to move it out into horizon.utils.escape.monkeypatch_escape so that the bulk of the code wasn't in settings. It's not clear whether other code might import escape from the django.utils.html module (thus avoiding our ability to monkey-patch it) hence I have placed the code as early as possible in our application.

Revision history for this message
Brandon Sawyers (brandor5) wrote :

Thanks guys, I'll put this workaround in place and have our security group test again.

Appreciate all the help. :)

Revision history for this message
Brandon Sawyers (brandor5) wrote :

As a follow up, I applied the suggested workaround (putting the code into settings.py) and it cleared the alert reported above, but still alerted at /dashboard/auth/login.

I will attach a screenshot of the updated alert.

If there is anything else I can do to help, just let me know.

Revision history for this message
Brandon Sawyers (brandor5) wrote :
Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

I believe that's a false positive as we don't use the standard "{{" and "}}" as our angular template markers, we use "{$" and "$}", hence the code I implemented escapes those and not the standard markers.

I have confirmed that with the code I propose above in place, the exploit is neutralised in the login page.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Thank you Richard, could you follow this documentation to propose a proper patch:

https://security.openstack.org/#how-to-propose-and-review-a-security-patch

Horizon-coresec, please review comment #8

Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

Thanks, Tristan! Here's the patch.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Oh, well if there are no other way to escape angular template marker, then that patch looks good to me.

@horizon-coresec, please review above patch (comment #15).

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

This is probably a class A type of bug according to https://security.openstack.org/vmt-process.html#incident-report-taxonomy. I've confirmed the ossa task.

Changed in ossa:
status: Incomplete → Confirmed
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

This could probably be fixed in the open, any concern if we switch this bug report to public ?

OSSG-coresec is now subscribed too.

Revision history for this message
David Lyle (david-lyle) wrote : Re: [Bug 1567673] Re: Possible client side template injection in horizon

I'm good with the patch in comment #15.

On Mon, May 9, 2016 at 9:50 AM, Tristan Cacqueray <email address hidden> wrote:
> This could probably be fixed in the open, any concern if we switch this
> bug report to public ?
>
> OSSG-coresec is now subscribed too.
>
> --
> You received this bug notification because you are a member of Horizon
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Confirmed
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions

Revision history for this message
David Lyle (david-lyle) wrote :

I'm good with the patch in #15.

Revision history for this message
Travis McPeak (travis-mcpeak) wrote : Re: Possible client side template injection in horizon

If an attacker is able to inject code that is only rendered for themselves (as the PoC showed) then we shouldn't be too worried and we can fix in public. If there are other exploit vectors where an attacker can inject templates that are rendered for others then it's a more serious issue.

Is this a new issue or something we'll have to backport?

Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

The attack can be added to strings served up to other users.

Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

OK, in that case this this seems like it may warrant an embargoed disclosure.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Alright, then we also need backport of patch in #15 for mitaka and liberty (kilo can be skipped since it's now eoled). This could be disclosed next week if all patches are approved by Friday.

Richard, can you please attach cherry-pick of the master patch ?

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@Brandon Sawyer, is there an affiliation we could reference in the advisory ?

Proposed impact description draft #1:

Title: XSS in Horizon client side template
Reporter: Brandon Sawyers
Products: Horizon
Affects: <=8.0.0, >=8.0.0 <=8.0.1 and 9.0.0

Description:
Brandon Sawyer reported a vulnerability in Horizon. By injecting angularjs template in dashboard forms such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browse the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

Changed in ossa:
status: Confirmed → Triaged
Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

I believe we've ratholed here before, and not meaning to kick up dust, but the "affects" is confusing. Is there any way we can make versions more clear? If not, no worries.

Revision history for this message
Brandon Sawyers (brandor5) wrote : Re: [Bug 1567673] Re: Possible client side template injection in horizon

Would it be possible to add Beth Lancaster as the discoverer of the bug as
well? We work for Virginia Tech.

Also, thank all of you for your help with this issue. 😃 We appreciate it a
lot.

Thanks,
Brandon

On Thu, May 12, 2016, 16:26 Travis McPeak <email address hidden> wrote:

> I believe we've ratholed here before, and not meaning to kick up dust,
> but the "affects" is confusing. Is there any way we can make versions
> more clear? If not, no worries.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Triaged
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions
>

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Possible client side template injection in horizon

The affect lines format is defined here: https://security.openstack.org/vmt-process.html#impact-description-description

I agree this isn't ideal, but at least it is exhaustive and similar to other OSSA.

Perhaps this one could be simplified to:

Affects: <=8.0.0, 8.0.1 and 9.0.0

Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

@Tristan - the new one you proposed looks MUCH clearer, thank you.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Thank you folks for the feedback, here is proposed impact description draft #2:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.0, 8.0.1 and 9.0.0

Description:
Beth Lancaster and Brandon Sawyer from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browse the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

Revision history for this message
Brandon Sawyers (brandor5) wrote : Re: [Bug 1567673] Re: Possible client side template injection in horizon

SawyerS... ;)

On Thu, May 12, 2016, 20:10 Tristan Cacqueray <email address hidden> wrote:

> Thank you folks for the feedback, here is proposed impact description
> draft #2:
>
> Title: XSS in Horizon client side template
> Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
> Products: Horizon
> Affects: <=8.0.0, 8.0.1 and 9.0.0
>
> Description:
> Beth Lancaster and Brandon Sawyer from Virginia Tech reported a
> vulnerability in Horizon. By injecting Angularjs template in dashboard
> forms such as image's description, an authenticated user may trigger a
> cross-site-scripting vulnerability when another user browse the affected
> pages. It may result in potential assets theft like user access
> credentials. All Horizon setups are affected.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Triaged
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions
>

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Possible client side template injection in horizon

Oups, sorry about that. I also fixed a couple of typos, here is impact description draft #3:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.0, 8.0.1 and 9.0.0

Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms, such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browses the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Is (or will there be) a version between 8.0.0 and 8.0.1? If not, then this is also the same as...

Affects: <=8.0.1, 9.0.0

(assuming it will be fixed in 8.0.2 for stable/liberty and 9.0.1 for stable/mitaka)

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Richard, David, please find backports posted above (comments #34 et #35).

Final impact description draft:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.1, 9.0.0

Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms, such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browses the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Tristan's updated impact description in comment #36 looks sufficient. Thanks!

summary: - Possible client side template injection in horizon
+ Possible client side template injection in horizon (CVE-2016-4428)
Changed in ossa:
status: Triaged → In Progress
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Possible client side template injection in horizon (CVE-2016-4428)

horizon-coresec, please review and approve patch in comments #15, #34 et #35.

If this is ready by Monday, we could use this public disclosure date:
2016-05-19, 15:00 UTC

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

pep8 is failing with:
./horizon/utils/escape.py:25:53: W291 trailing whitespace.

Please find below a new set of patchs fixing that trailing space.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@horizon-coresec, please review the three patches above.

Revision history for this message
Rob Cresswell (robcresswell) wrote :

Works for me. I was unable to recreate the bug in Liberty, Mitaka, or Newton after applying the patch. Thanks!

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Thanks Rob, I'm waiting for core reviewer approval before moving on with this issue.

Proposed disclosure date: 2016-06-15, 1500UTC

Revision history for this message
Jeremy Stanley (fungi) wrote :

With last week's stable/mitaka point release, this should now be...

    Affects: <=8.0.1, >=9.0.0 <=9.0.1

Revision history for this message
David Lyle (david-lyle) wrote :

The patches in comments 40-42 look good to me. I think we're ready to move forward.

Changed in ossa:
status: In Progress → Fix Committed
information type: Private Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/329996

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/329997

Changed in horizon:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/329998

summary: - Possible client side template injection in horizon (CVE-2016-4428)
+ [OSSA-2016-010] Possible client side template injection in horizon
+ (CVE-2016-4428)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ossa (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/330002

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/329998
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
Submitter: Jenkins
Branch: master

commit 62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
Author: Richard Jones <email address hidden>
Date: Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML

    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.

    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/mitaka)

Reviewed: https://review.openstack.org/329996
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=fc8d70560401f3985e5672a4c580f10d51e985a4
Submitter: Jenkins
Branch: stable/mitaka

commit fc8d70560401f3985e5672a4c580f10d51e985a4
Author: Richard Jones <email address hidden>
Date: Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML

    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.

    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
    (cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/liberty)

Reviewed: https://review.openstack.org/329997
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d585e5eb9acf92d10d39b6c2038917a7e8ac71bb
Submitter: Jenkins
Branch: stable/liberty

commit d585e5eb9acf92d10d39b6c2038917a7e8ac71bb
Author: Richard Jones <email address hidden>
Date: Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML

    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.

    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
    (cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)

tags: added: in-stable-liberty
Changed in ossa:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to ossa (master)

Reviewed: https://review.openstack.org/330002
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=d155fe8c1abf44f17ffb29011f73b9873b032b51
Submitter: Jenkins
Branch: master

commit d155fe8c1abf44f17ffb29011f73b9873b032b51
Author: Tristan Cacqueray <email address hidden>
Date: Wed Jun 15 11:11:13 2016 -0400

    Adds OSSA-2016-010 (CVE-2016-4428)

    Change-Id: I682d36be196502568c64e8f2142d4555cdc1b0be
    Related-Bug: #1567673

Revision history for this message
Thomas Goirand (thomas-goirand) wrote :
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/horizon 10.0.0.0b2

This issue was fixed in the openstack/horizon 10.0.0.0b2 development milestone.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/horizon 9.1.0

This issue was fixed in the openstack/horizon 9.1.0 release.

Changed in horizon:
milestone: none → newton-2
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

This issue was fixed in the openstack/horizon 9.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 8.0.2

This issue was fixed in the openstack/horizon 8.0.2 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers