refreshing in log viewer interprets html and javascript

Bug #977944 reported by J. Daniel Schmidt on 2012-04-10
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Critical
Unassigned
Essex
Critical
Unassigned

Bug Description

In the log viewer the refreshing mechanism does not escape the fetched log data.
This means that HTML with Javascript code gets interpreted as such and thus code can be injected in a dashboard session.

A harmless test for this is this command run inside a VM:
# echo "<b>test</b>" > /dev/ttyS0

This opens up even more creativity:
# echo "<script>alert('test foobar')</script>" > /dev/ttyS0

After loading the log you just have to wait (a few seconds) for the first refresh.

CVE References

J. Daniel Schmidt (jdsn) on 2012-04-10
summary: - refreshing in log viewer interprets html
+ refreshing in log viewer interprets html and javascript

Thanks for your report, jdsn.

In other words this is a Cross-Site Scripting flaw which could be used to steal the session id of the logged in user viewing the logs.

I would recommend getting a CVE for it if this affects released products / software.

Robert Clark (robert-clark) wrote :

Lots of interesting attacks could leverage this.

Definitely needs a CVE in my opinion.

Robert, I agree with you. I will take care and get us one.

Since I have found the issue I guess according to the unwritten rule I have to suggest a CRD / disclosing date. Would 2012/04/20? be acceptable?

J. Daniel Schmidt (jdsn) wrote :

Proposed fix for this issue.
As this will be a CVE I attach it here rather than sending it directly to gerrit.

Russell Bryant (russellb) wrote :

Subscribed Horizon PTL to the bug.

For reference, here is the process we follow for vulnerability management in OpenStack: http://wiki.openstack.org/VulnerabilityManagement

I'd like to hold off on deciding on a CRD until we're ready to send out an advance notification of the issue. Next steps:

1) We will need a patch for both master and stable/essex. I suspect that the same patch will apply fine to both in this case.

2) The patch(es) need to be pre-approved on this bug by two members of horizon-core. Devin, can you handle that?

3) Once all of that is done, we can decide on a CRD and one of the VMT members can send out the advance notification. (I don't mind doing it.)

Devin Carlen (devcamcar) wrote :

+2 for the patch

tags: added: essex-backport-potential
Changed in horizon:
milestone: none → folsom-1
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Nebula (nebula)
Gabriel Hurley (gabriel-hurley) wrote :

Reviewed, +2, and I'm reasonably satisified this type of problem isn't exposed similarly elsewhere at the moment.

Russell Bryant (russellb) wrote :

Thanks! Can you help clarify the scope of the vulnerability? What all is this log viewer used for? Is it just for viewing output from VM consoles? Anything more than that?

Russell Bryant (russellb) wrote :

Regarding the CRD (coordinated release date), I would normally propose a day next week. Given that a significant portion of the people responsible for getting the patch merged or updating packages will be busy at the OpenStack conference, we could do it 2 weeks out: Tuesday, April 24th. Would you consider this critical enough that we just do what it takes to get it released next week? If so, I'd say Tuesday, April 17th. I'm fine either way.

Devin Carlen (devcamcar) wrote :

Hi Russel, you are correct - the log viewer allows you to tail the logs of the guest consoles.

Russell Bryant (russellb) wrote :

Proposed description. Feedback welcome.

Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: J. Daniel Schmidt <email address hidden>
Products: Horizon
Affects: All versions

Description:
J. Daniel Schmidt reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.

Devin Carlen (devcamcar) wrote :

This description is accurate.

Devin Carlen (devcamcar) wrote :

Let's do Tuesday April 17th.

Paul McMillan (paul-mcmillan) wrote :

+2 on the fix, it looks good.

Agree on the earlier release date. This is absolutely critical, since it can relatively easily be exploited to gain administrator privileges in many cases.

Russell Bryant (russellb) wrote :

As requested, here is the updated description that reflects Matthias as the reporter since he originally found the issue :

Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: Matthias Weckbecker <email address hidden>
Products: Horizon
Affects: All versions

Description:
Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.

visibility: private → public
Russell Bryant (russellb) wrote :

and for stable/essex: https://review.openstack.org/6621

Reviewed: https://review.openstack.org/6618
Committed: http://github.com/openstack/horizon/commit/ab2e27522aaeb0268fcc121bd3eff5a4485f313c
Submitter: Jenkins
Branch: master

commit ab2e27522aaeb0268fcc121bd3eff5a4485f313c
Author: J. Daniel Schmidt <email address hidden>
Date: Tue Apr 10 14:56:37 2012 +0200

    html escape the console log in refresh

    fixes bug 977944

    Change-Id: I89089155d1083332d02ae9039898227cbab42d07

Changed in horizon:
status: Triaged → Fix Committed
Thierry Carrez (ttx) wrote :

Essex fix is still missing. Review 6621 is blocked until 6676 is backported, and the current attempt (6727) has been abandoned by devcamcar.

https://review.openstack.org/6676 seems not to be the thing that needs backporting for this.

Thierry Carrez (ttx) wrote :

Actually this bug needs 6621 (which is the backport of 6618)... but that needs the equivalent of *6626* (not 6676) being present in the branch before it can hit.

Reviewed: https://review.openstack.org/6621
Committed: http://github.com/openstack/horizon/commit/7f8c788aa70db98ac904f37fa4197fcabb802942
Submitter: Jenkins
Branch: stable/essex

commit 7f8c788aa70db98ac904f37fa4197fcabb802942
Author: J. Daniel Schmidt <email address hidden>
Date: Tue Apr 10 14:56:37 2012 +0200

    html escape the console log in refresh

    fixes bug 977944

    (cherry picked from commit ab2e27522aaeb0268fcc121bd3eff5a4485f313c)

    Change-Id: Ic6135ebc58b6c45d6336f0833717086e43d7cccb

tags: added: in-stable-essex
Thierry Carrez (ttx) wrote :

Should be marked released only if we do a 2012.1.1 release that includes the fix.

Thierry Carrez (ttx) on 2012-05-23
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in horizon:
milestone: folsom-1 → 2012.2
Curtis Hovey (sinzui) on 2016-07-29
Changed in horizon:
assignee: Registry Administrators (registry) → nobody
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers