In Openstack Horizon component it was observed that the application is taking input from URL and reflecting it into the webpage

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

Hi Jeremy,

Any update on this?

Regards,
Verneet

I'm hoping one of the Horizon security reviewers subscribed to this report will get the opportunity to confirm and triage it, and if necessary discuss potential fixes as well as determine whether the risk is severe enough to warrant keeping the discussion under embargo until a solution is implemented.

HTML tags are quoted

Given that:

1. A malicious actor would need to coerce the victim into following their custom URL via a phishing E-mail or linking from an external site.

2. The injected content can't effectively embed a hyperlink or other markup and so would look at least slightly suspicious when referring to an attacker's domain.

I feel like the risk posed by this is insufficient to warrant any private embargo, and could safely be discussed in public (likely as a security hardening opportunity). Does anyone object?

Is this a horizon issue, or is this an issue in the underlying Django framework?

Otherwise I agree with the previous statement from Jeremy.

> Is this a horizon issue, or is this an issue in the underlying Django framework?

This is an issue in horizon. Horizon overrides a view for CSRF failure which redirects to the login form. This happens when the login form refers to a reason of CSRF failure. (The original behavior of Django is to show an error page specific to CSRF failure.)

I agree with Jeremy that we can make this public. An attacker cannot inject markup tags and can only inject a text. Of course it is better to fix it but I think this can be public.

I've made this report public. For now the OpenStack VMT is considering it a security hardening opportunity (class D report), so no corresponding advisory publication is planned but fixing is still encouraged of course: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Fix proposed to branch: master
Review: https://review.opendev.org/757122

Hi,
Thanks everyone for considering it as a security bug.

Can i apply for CVE?

Thanks!

//Verneet

While this bug does have security implications, there is no direct impact that can be made on an OpenStack deployment itself. So I agree with the class D rating. Sorry Verneet, but I believe in this case no CVE would be assigned.

Reviewed: https://review.opendev.org/757122
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=8a963626e12ee25cf2f9ab29c172b16f5bbce4c9
Submitter: Zuul
Branch: master

commit 8a963626e12ee25cf2f9ab29c172b16f5bbce4c9
Author: Ivan Kolodyazhny <email address hidden>
Date: Fri Oct 9 17:58:32 2020 +0300

    Added validation for csrf_failure GET argument

    During csrf_failure argument validation horizon drops unknown messages
    so nobody can't inject any message to login view.

    Change-Id: I78a7592562a6249629f4d236ca59eb83d9094123
    Closes-Bug: #1898465

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/758544

Reviewed: https://review.opendev.org/758544
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=376a1244a8a583bebeb5b2ed4f645dae338fbcff
Submitter: Zuul
Branch: stable/victoria

commit 376a1244a8a583bebeb5b2ed4f645dae338fbcff
Author: Ivan Kolodyazhny <email address hidden>
Date: Fri Oct 9 17:58:32 2020 +0300

    Added validation for csrf_failure GET argument

    During csrf_failure argument validation horizon drops unknown messages
    so nobody can't inject any message to login view.

    Change-Id: I78a7592562a6249629f4d236ca59eb83d9094123
    Closes-Bug: #1898465
    (cherry picked from commit 8a963626e12ee25cf2f9ab29c172b16f5bbce4c9)

This issue was fixed in the openstack/horizon 19.0.0 release.

This issue was fixed in the openstack/horizon 18.6.2 release.