[OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428)

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

@Horizon-coresec, were you able to reproduce ?

@brandon, what version of openstack are you testing ?

@Tristan, I'm using RDO Liberty...package version is openstack-dashboard-8.0.0-1.el7.noarch.

Any updates on this?

Thanks. :)

added Richard to get some core that worked on angular in the bug

I can confirm that Horizon is vulnerable to this exploit, since Django is involved in generating all top-level HTML, and that will always include templating in user-supplied data which is not sanitised for angularjs safety.

To reproduce, create a new Image with the Description set to:

 {$
    "a".constructor.prototype.charAt=[].join;
    $eval("x=alert(1)")+""
 $}

Even though you receive an error, the value is templated back into the form by Django to be returned to the user, and the alert will pop up. A few times.

I believe the following code, added to the top of settings.py in Horizon, will blanket fix this issue.
 import django.utils.html

 def escape(text, existing=django.utils.html.escape):
    # replace our angular markup string with a different string
    # (just happens to be the Django comment string)
    return existing(text).replace('{$', '{%').replace('$}', '%}')

 django.utils.html.escape = escape

I have not done a thorough analysis of whether this is further exploitable, though I believe it is not. I am not sure whether it will damage any data in OpenStack (I don't know whether "{$" and "$}" are valid values of data anywhere in OpenStack).

I think the only place that could suffer from the blanket replacement is heat templates, and "{$" and "$}" are not part of that syntax.

The only change I'd make to the above patch therefore is to move it out into horizon.utils.escape.monkeypatch_escape so that the bulk of the code wasn't in settings. It's not clear whether other code might import escape from the django.utils.html module (thus avoiding our ability to monkey-patch it) hence I have placed the code as early as possible in our application.

Thanks guys, I'll put this workaround in place and have our security group test again.

Appreciate all the help. :)

As a follow up, I applied the suggested workaround (putting the code into settings.py) and it cleared the alert reported above, but still alerted at /dashboard/auth/login.

I will attach a screenshot of the updated alert.

If there is anything else I can do to help, just let me know.

I believe that's a false positive as we don't use the standard "{{" and "}}" as our angular template markers, we use "{$" and "$}", hence the code I implemented escapes those and not the standard markers.

I have confirmed that with the code I propose above in place, the exploit is neutralised in the login page.

Thank you Richard, could you follow this documentation to propose a proper patch:

https://security.openstack.org/#how-to-propose-and-review-a-security-patch

Horizon-coresec, please review comment #8

Thanks, Tristan! Here's the patch.

Oh, well if there are no other way to escape angular template marker, then that patch looks good to me.

@horizon-coresec, please review above patch (comment #15).

This is probably a class A type of bug according to https://security.openstack.org/vmt-process.html#incident-report-taxonomy. I've confirmed the ossa task.

This could probably be fixed in the open, any concern if we switch this bug report to public ?

OSSG-coresec is now subscribed too.

I'm good with the patch in comment #15.

On Mon, May 9, 2016 at 9:50 AM, Tristan Cacqueray <email address hidden> wrote:
> This could probably be fixed in the open, any concern if we switch this
> bug report to public ?
>
> OSSG-coresec is now subscribed too.
>
> --
> You received this bug notification because you are a member of Horizon
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Confirmed
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions

I'm good with the patch in #15.

If an attacker is able to inject code that is only rendered for themselves (as the PoC showed) then we shouldn't be too worried and we can fix in public. If there are other exploit vectors where an attacker can inject templates that are rendered for others then it's a more serious issue.

Is this a new issue or something we'll have to backport?

The attack can be added to strings served up to other users.

OK, in that case this this seems like it may warrant an embargoed disclosure.

Alright, then we also need backport of patch in #15 for mitaka and liberty (kilo can be skipped since it's now eoled). This could be disclosed next week if all patches are approved by Friday.

Richard, can you please attach cherry-pick of the master patch ?

@Brandon Sawyer, is there an affiliation we could reference in the advisory ?

Proposed impact description draft #1:

Title: XSS in Horizon client side template
Reporter: Brandon Sawyers
Products: Horizon
Affects: <=8.0.0, >=8.0.0 <=8.0.1 and 9.0.0

Description:
Brandon Sawyer reported a vulnerability in Horizon. By injecting angularjs template in dashboard forms such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browse the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

I believe we've ratholed here before, and not meaning to kick up dust, but the "affects" is confusing. Is there any way we can make versions more clear? If not, no worries.

Would it be possible to add Beth Lancaster as the discoverer of the bug as
well? We work for Virginia Tech.

Also, thank all of you for your help with this issue. 😃 We appreciate it a
lot.

Thanks,
Brandon

On Thu, May 12, 2016, 16:26 Travis McPeak <email address hidden> wrote:

> I believe we've ratholed here before, and not meaning to kick up dust,
> but the "affects" is confusing. Is there any way we can make versions
> more clear? If not, no worries.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Triaged
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions
>

The affect lines format is defined here: https://security.openstack.org/vmt-process.html#impact-description-description

I agree this isn't ideal, but at least it is exhaustive and similar to other OSSA.

Perhaps this one could be simplified to:

Affects: <=8.0.0, 8.0.1 and 9.0.0

@Tristan - the new one you proposed looks MUCH clearer, thank you.

Thank you folks for the feedback, here is proposed impact description draft #2:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.0, 8.0.1 and 9.0.0

Description:
Beth Lancaster and Brandon Sawyer from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browse the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

SawyerS... ;)

On Thu, May 12, 2016, 20:10 Tristan Cacqueray <email address hidden> wrote:

> Thank you folks for the feedback, here is proposed impact description
> draft #2:
>
> Title: XSS in Horizon client side template
> Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
> Products: Horizon
> Affects: <=8.0.0, 8.0.1 and 9.0.0
>
> Description:
> Beth Lancaster and Brandon Sawyer from Virginia Tech reported a
> vulnerability in Horizon. By injecting Angularjs template in dashboard
> forms such as image's description, an authenticated user may trigger a
> cross-site-scripting vulnerability when another user browse the affected
> pages. It may result in potential assets theft like user access
> credentials. All Horizon setups are affected.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Triaged
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions
>

Oups, sorry about that. I also fixed a couple of typos, here is impact description draft #3:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.0, 8.0.1 and 9.0.0

Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms, such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browses the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

Is (or will there be) a version between 8.0.0 and 8.0.1? If not, then this is also the same as...

Affects: <=8.0.1, 9.0.0

(assuming it will be fixed in 8.0.2 for stable/liberty and 9.0.1 for stable/mitaka)

Richard, David, please find backports posted above (comments #34 et #35).

Final impact description draft:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.1, 9.0.0

Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms, such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browses the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.

Tristan's updated impact description in comment #36 looks sufficient. Thanks!

horizon-coresec, please review and approve patch in comments #15, #34 et #35.

If this is ready by Monday, we could use this public disclosure date:
2016-05-19, 15:00 UTC

pep8 is failing with:
./horizon/utils/escape.py:25:53: W291 trailing whitespace.

Please find below a new set of patchs fixing that trailing space.

@horizon-coresec, please review the three patches above.

Works for me. I was unable to recreate the bug in Liberty, Mitaka, or Newton after applying the patch. Thanks!

Thanks Rob, I'm waiting for core reviewer approval before moving on with this issue.

Proposed disclosure date: 2016-06-15, 1500UTC

With last week's stable/mitaka point release, this should now be...

    Affects: <=8.0.1, >=9.0.0 <=9.0.1

The patches in comments 40-42 look good to me. I think we're ready to move forward.

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/329996

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/329997

Fix proposed to branch: master
Review: https://review.openstack.org/329998

Related fix proposed to branch: master
Review: https://review.openstack.org/330002

Reviewed: https://review.openstack.org/329998
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
Submitter: Jenkins
Branch: master

commit 62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
Author: Richard Jones <email address hidden>
Date: Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML

    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.

    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7

Reviewed: https://review.openstack.org/329996
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=fc8d70560401f3985e5672a4c580f10d51e985a4
Submitter: Jenkins
Branch: stable/mitaka

commit fc8d70560401f3985e5672a4c580f10d51e985a4
Author: Richard Jones <email address hidden>
Date: Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML

    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.

    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
    (cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)

Reviewed: https://review.openstack.org/329997
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d585e5eb9acf92d10d39b6c2038917a7e8ac71bb
Submitter: Jenkins
Branch: stable/liberty

commit d585e5eb9acf92d10d39b6c2038917a7e8ac71bb
Author: Richard Jones <email address hidden>
Date: Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML

    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.

    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
    (cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)

Reviewed: https://review.openstack.org/330002
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=d155fe8c1abf44f17ffb29011f73b9873b032b51
Submitter: Jenkins
Branch: master

commit d155fe8c1abf44f17ffb29011f73b9873b032b51
Author: Tristan Cacqueray <email address hidden>
Date: Wed Jun 15 11:11:13 2016 -0400

    Adds OSSA-2016-010 (CVE-2016-4428)

    Change-Id: I682d36be196502568c64e8f2142d4555cdc1b0be
    Related-Bug: #1567673

FYI, the patch backported to Icehouse is available here:

http://anonscm.debian.org/cgit/openstack/horizon.git/tree/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc?h=debian/icehouse&id=d74e751ce93f03240f3ad4206e93d6e7e05da55f

This issue was fixed in the openstack/horizon 10.0.0.0b2 development milestone.

This issue was fixed in the openstack/horizon 9.1.0 release.

This issue was fixed in the openstack/horizon 9.1.0 release.

This issue was fixed in the openstack/horizon 8.0.2 release.