2017-02-22 20:04:27 |
Eric Brown |
bug |
|
|
added bug |
2017-02-22 20:13:56 |
Morgan Fainberg |
description |
Found in Mitaka
Steps:
- Setup federation in keystone and horizon
- Launch and login to horizon as an admin
- Click on the Federation->Mappings tab
- Create or update a mapping with the following content that contains javascript
[
{
"local": [
{
"domain": {
"name": "Default"
},
"group": {
"domain": {
"name": "Default"
},
"name": "Federated Users"
},
"user": {
"name": "{<script>alert('test');</script>}",
"email": "{1}"
},
"groups": "{2}"
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "MELLON_userEmail"
},
{
"type": "MELLON_groups"
}
]
}
]
Now whenever this Federation->Mapping page is shown, the javascript will execute.
It appears other pages in horizon protect against such attacks (such as Users, Groups, etc). So I'm guessing that the rendering of this page just needs to be escaped to ignore tags. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Found in Mitaka
Steps:
- Setup federation in keystone and horizon
- Launch and login to horizon as an admin
- Click on the Federation->Mappings tab
- Create or update a mapping with the following content that contains javascript
[
{
"local": [
{
"domain": {
"name": "Default"
},
"group": {
"domain": {
"name": "Default"
},
"name": "Federated Users"
},
"user": {
"name": "{<script>alert('test');</script>}",
"email": "{1}"
},
"groups": "{2}"
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "MELLON_userEmail"
},
{
"type": "MELLON_groups"
}
]
}
]
Now whenever this Federation->Mapping page is shown, the javascript will execute.
It appears other pages in horizon protect against such attacks (such as Users, Groups, etc). So I'm guessing that the rendering of this page just needs to be escaped to ignore tags. |
|
2017-02-22 20:14:14 |
Morgan Fainberg |
bug task added |
|
ossa |
|
2017-02-22 20:14:20 |
Morgan Fainberg |
ossa: status |
New |
Incomplete |
|
2017-02-22 20:14:52 |
Morgan Fainberg |
bug |
|
|
added subscriber Horizon Core security contacts |
2017-02-22 22:38:47 |
Richard Jones |
horizon: status |
New |
Triaged |
|
2017-02-22 22:38:49 |
Richard Jones |
horizon: importance |
Undecided |
Critical |
|
2017-02-22 22:39:02 |
Richard Jones |
horizon: milestone |
|
pike-1 |
|
2017-02-22 22:41:21 |
Richard Jones |
tags |
|
mitaka-backport-potential newton-backport-potential ocata-backport-potential |
|
2017-03-03 16:15:58 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2017-03-03 16:22:26 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Found in Mitaka
Steps:
- Setup federation in keystone and horizon
- Launch and login to horizon as an admin
- Click on the Federation->Mappings tab
- Create or update a mapping with the following content that contains javascript
[
{
"local": [
{
"domain": {
"name": "Default"
},
"group": {
"domain": {
"name": "Default"
},
"name": "Federated Users"
},
"user": {
"name": "{<script>alert('test');</script>}",
"email": "{1}"
},
"groups": "{2}"
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "MELLON_userEmail"
},
{
"type": "MELLON_groups"
}
]
}
]
Now whenever this Federation->Mapping page is shown, the javascript will execute.
It appears other pages in horizon protect against such attacks (such as Users, Groups, etc). So I'm guessing that the rendering of this page just needs to be escaped to ignore tags. |
Found in Mitaka
Steps:
- Setup federation in keystone and horizon
- Launch and login to horizon as an admin
- Click on the Federation->Mappings tab
- Create or update a mapping with the following content that contains javascript
[
{
"local": [
{
"domain": {
"name": "Default"
},
"group": {
"domain": {
"name": "Default"
},
"name": "Federated Users"
},
"user": {
"name": "{<script>alert('test');</script>}",
"email": "{1}"
},
"groups": "{2}"
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "MELLON_userEmail"
},
{
"type": "MELLON_groups"
}
]
}
]
Now whenever this Federation->Mapping page is shown, the javascript will execute.
It appears other pages in horizon protect against such attacks (such as Users, Groups, etc). So I'm guessing that the rendering of this page just needs to be escaped to ignore tags. |
|
2017-03-05 22:05:38 |
Adam Heczko |
bug |
|
|
added subscriber Adam Heczko |
2017-03-07 05:56:27 |
OpenStack Infra |
horizon: status |
Triaged |
In Progress |
|
2017-03-07 05:56:27 |
OpenStack Infra |
horizon: assignee |
|
Richard Jones (r1chardj0n3s) |
|
2017-03-07 08:51:43 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Released |
|
2017-03-07 14:03:57 |
OpenStack Infra |
tags |
mitaka-backport-potential newton-backport-potential ocata-backport-potential |
in-stable-mitaka mitaka-backport-potential newton-backport-potential ocata-backport-potential |
|
2017-03-07 14:04:07 |
OpenStack Infra |
tags |
in-stable-mitaka mitaka-backport-potential newton-backport-potential ocata-backport-potential |
in-stable-mitaka in-stable-newton mitaka-backport-potential newton-backport-potential ocata-backport-potential |
|
2017-03-07 14:04:15 |
OpenStack Infra |
tags |
in-stable-mitaka in-stable-newton mitaka-backport-potential newton-backport-potential ocata-backport-potential |
in-stable-mitaka in-stable-newton in-stable-ocata mitaka-backport-potential newton-backport-potential ocata-backport-potential |
|
2017-03-17 14:25:48 |
Jeremy Stanley |
ossa: status |
Incomplete |
Confirmed |
|
2017-04-03 13:07:27 |
Tristan Cacqueray |
summary |
XSS in federation mappings UI |
[OSSA-2017-003] XSS in federation mappings UI (CVE-2017-7400) |
|
2017-04-03 13:07:33 |
Tristan Cacqueray |
ossa: status |
Confirmed |
In Progress |
|
2017-04-03 13:07:38 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2017-04-05 13:13:30 |
OpenStack Infra |
ossa: status |
In Progress |
Fix Released |
|
2017-04-05 13:13:33 |
OpenStack Infra |
cve linked |
|
2017-7400 |
|