Im put of the office so attempting to reply by email on phone.

A concern is that in the attack described, new keypairs could be created
that would later used in a social engineering attack. Naming keys certain
ways might encourage their use in future or as part of a more complex
attack scenario.

On 28 Nov 2016 17:15, "Jeremy Stanley" <email address hidden> wrote:

> ** Description changed:
>
> - This issue is being treated as a potential security risk under embargo.
> - Please do not make any public mention of embargoed (private) security
> - vulnerabilities before their coordinated publication by the OpenStack
> - Vulnerability Management Team in the form of an official OpenStack
> - Security Advisory. This includes discussion of the bug or associated
> - fixes in public forums such as mailing lists, code review systems and
> - bug trackers. Please also avoid private disclosure to other individuals
> - not already approved for access to this information, and provide this
> - same reminder to those who are made aware of the issue prior to
> - publication. All discussion should remain confined to this private bug
> - report, and any proposed fixes should be added to the bug as
> - attachments.
> -
>   Requests to create (and download) nova keypairs are made as GETs. As
>   such the CSRF token is not sent nor validated on these requests. This
>   breaks the principle Django's CSRF middleware relies upon which is that
>   requests with side effects should not cause side effects. I'm told there
>   was a reason for doing this related to being able to send the data back
>   to the browser, and that this may not be trivial to fix.
>
>   Filing this as a security bug since a malicious site could fool a user
>   into creating keypairs. The attacker would not gain access to the
>   contents, so the impact is not as serious as it might seem at first
>   glance.
>
>   See
>   https://github.com/openstack/horizon/blob/master/openstack_
> dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
>
> ** Changed in: ossa
>        Status: Incomplete => Won't Fix
>
> ** Information type changed from Private Security to Public
>
> ** Tags added: security
>
> --
> You received this bug notification because you are a member of OSSG
> CoreSec, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1575913
>
> Title:
>   Generate and download keypair GET endpoint allows CSRF attacks
>
> Status in OpenStack Dashboard (Horizon):
>   New
> Status in OpenStack Security Advisory:
>   Won't Fix
>
> Bug description:
>   Requests to create (and download) nova keypairs are made as GETs. As
>   such the CSRF token is not sent nor validated on these requests. This
>   breaks the principle Django's CSRF middleware relies upon which is
>   that requests with side effects should not cause side effects. I'm
>   told there was a reason for doing this related to being able to send
>   the data back to the browser, and that this may not be trivial to fix.
>
>   Filing this as a security bug since a malicious site could fool a user
>   into creating keypairs. The attacker would not gain access to the
>   contents, so the impact is not as serious as it might seem at first
>   glance.
>
>   See
>   https://github.com/openstack/horizon/blob/master/openstack_
> dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions
>