Generate and download keypair GET endpoint allows CSRF attacks
Bug #1575913 reported by
Steve McLellan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Gary W. Smith | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Requests to create (and download) nova keypairs are made as GETs. As such the CSRF token is not sent nor validated on these requests. This breaks the principle Django's CSRF middleware relies upon which is that requests with side effects should not cause side effects. I'm told there was a reason for doing this related to being able to send the data back to the browser, and that this may not be trivial to fix.
Filing this as a security bug since a malicious site could fool a user into creating keypairs. The attacker would not gain access to the contents, so the impact is not as serious as it might seem at first glance.
description: | updated |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Private Security → Public |
tags: | added: security |
Changed in horizon: | |
assignee: | nobody → Gary W. Smith (gary-w-smith) |
status: | New → In Progress |
Changed in horizon: | |
milestone: | none → pike-3 |
importance: | Undecided → High |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.