refreshing in log viewer interprets html and javascript
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Dashboard (Horizon) |
Critical
|
Unassigned | ||
| | Essex |
Critical
|
Unassigned | ||
Bug Description
In the log viewer the refreshing mechanism does not escape the fetched log data.
This means that HTML with Javascript code gets interpreted as such and thus code can be injected in a dashboard session.
A harmless test for this is this command run inside a VM:
# echo "<b>test</b>" > /dev/ttyS0
This opens up even more creativity:
# echo "<script>
After loading the log you just have to wait (a few seconds) for the first refresh.
CVE References
| summary: |
- refreshing in log viewer interprets html + refreshing in log viewer interprets html and javascript |
| Matthias Weckbecker (mweckbecker) wrote : | #1 |
| Robert Clark (robert-clark) wrote : | #2 |
Lots of interesting attacks could leverage this.
Definitely needs a CVE in my opinion.
| Matthias Weckbecker (mweckbecker) wrote : | #3 |
Robert, I agree with you. I will take care and get us one.
Since I have found the issue I guess according to the unwritten rule I have to suggest a CRD / disclosing date. Would 2012/04/20? be acceptable?
| J. Daniel Schmidt (jdsn) wrote : | #4 |
Proposed fix for this issue.
As this will be a CVE I attach it here rather than sending it directly to gerrit.
| Russell Bryant (russellb) wrote : | #5 |
Subscribed Horizon PTL to the bug.
For reference, here is the process we follow for vulnerability management in OpenStack: http://
I'd like to hold off on deciding on a CRD until we're ready to send out an advance notification of the issue. Next steps:
1) We will need a patch for both master and stable/essex. I suspect that the same patch will apply fine to both in this case.
2) The patch(es) need to be pre-approved on this bug by two members of horizon-core. Devin, can you handle that?
3) Once all of that is done, we can decide on a CRD and one of the VMT members can send out the advance notification. (I don't mind doing it.)
| Devin Carlen (devcamcar) wrote : | #6 |
+2 for the patch
| tags: | added: essex-backport-potential |
| Changed in horizon: | |
| milestone: | none → folsom-1 |
| status: | New → Triaged |
| importance: | Undecided → Critical |
| assignee: | nobody → Nebula (nebula) |
| Gabriel Hurley (gabriel-hurley) wrote : | #7 |
Reviewed, +2, and I'm reasonably satisified this type of problem isn't exposed similarly elsewhere at the moment.
| Russell Bryant (russellb) wrote : | #8 |
Thanks! Can you help clarify the scope of the vulnerability? What all is this log viewer used for? Is it just for viewing output from VM consoles? Anything more than that?
| Russell Bryant (russellb) wrote : | #9 |
Regarding the CRD (coordinated release date), I would normally propose a day next week. Given that a significant portion of the people responsible for getting the patch merged or updating packages will be busy at the OpenStack conference, we could do it 2 weeks out: Tuesday, April 24th. Would you consider this critical enough that we just do what it takes to get it released next week? If so, I'd say Tuesday, April 17th. I'm fine either way.
| Devin Carlen (devcamcar) wrote : | #10 |
Hi Russel, you are correct - the log viewer allows you to tail the logs of the guest consoles.
| Russell Bryant (russellb) wrote : | #11 |
Proposed description. Feedback welcome.
Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: J. Daniel Schmidt <email address hidden>
Products: Horizon
Affects: All versions
Description:
J. Daniel Schmidt reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.
| Devin Carlen (devcamcar) wrote : | #12 |
This description is accurate.
| Devin Carlen (devcamcar) wrote : | #13 |
Let's do Tuesday April 17th.
| Paul McMillan (paul-mcmillan) wrote : | #14 |
+2 on the fix, it looks good.
Agree on the earlier release date. This is absolutely critical, since it can relatively easily be exploited to gain administrator privileges in many cases.
| Russell Bryant (russellb) wrote : | #15 |
As requested, here is the updated description that reflects Matthias as the reporter since he originally found the issue :
Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: Matthias Weckbecker <email address hidden>
Products: Horizon
Affects: All versions
Description:
Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.
| Bernhard M. Wiedemann (ubuntubmw) wrote : | #16 |
| visibility: | private → public |
Fix proposed to branch: stable/essex
Review: https:/
| Russell Bryant (russellb) wrote : | #18 |
and for stable/essex: https:/
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: master
commit ab2e27522aaeb02
Author: J. Daniel Schmidt <email address hidden>
Date: Tue Apr 10 14:56:37 2012 +0200
html escape the console log in refresh
fixes bug 977944
Change-Id: I89089155d10833
| Changed in horizon: | |
| status: | Triaged → Fix Committed |
| Thierry Carrez (ttx) wrote : | #20 |
Essex fix is still missing. Review 6621 is blocked until 6676 is backported, and the current attempt (6727) has been abandoned by devcamcar.
| Bernhard M. Wiedemann (ubuntubmw) wrote : | #21 |
https:/
| Thierry Carrez (ttx) wrote : | #22 |
Actually this bug needs 6621 (which is the backport of 6618)... but that needs the equivalent of *6626* (not 6676) being present in the branch before it can hit.
| Devin Carlen (devcamcar) wrote : | #23 |
https:/
| Devin Carlen (devcamcar) wrote : | #24 |
oops, meant: https:/
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: stable/essex
commit 7f8c788aa70db98
Author: J. Daniel Schmidt <email address hidden>
Date: Tue Apr 10 14:56:37 2012 +0200
html escape the console log in refresh
fixes bug 977944
(cherry picked from commit ab2e27522aaeb02
Change-Id: Ic6135ebc58b6c4
| tags: | added: in-stable-essex |
| Thierry Carrez (ttx) wrote : | #26 |
Should be marked released only if we do a 2012.1.1 release that includes the fix.
| Changed in horizon: | |
| status: | Fix Committed → Fix Released |
| Changed in horizon: | |
| milestone: | folsom-1 → 2012.2 |
| Changed in horizon: | |
| assignee: | Registry Administrators (registry) → nobody |
Thanks for your report, jdsn.
In other words this is a Cross-Site Scripting flaw which could be used to steal the session id of the logged in user viewing the logs.
I would recommend getting a CVE for it if this affects released products / software.