[OSSA 2014-023] Stored XSS for /admin/users/ (CVE-2014-3475)

The OSSA task is incomplete pending additional details from security reviewers. Also I marked 1320233 as a duplicate of this one.

Looks valid to me at first glance... Malicious user could specify crafted email address which then would XSS the admin... Waiting on horizon-coresec to confirm, though.

I can reproduce the problem and Horizon should be escaping the data. Havana and possibly previous versions are also affected.

With regard to the security impact, I think it depends on whether one is using an external system to manage users or has modified the default Keystone permissions. If I understand correctly, by default the Keystone policy doesn't allow users to modify their own email. User creation and update appear to require admin rights ("You are not authorized to perform the requested action, admin_required. (HTTP 403)").

In itself, the problem is due to the use of the "urlize" filter to make the email address clickable. urlize expects the data to already be escaped. It looks like the filter is used in 2 places across the codebase, for users and groups management. I'll propose a fix.

I'm attaching a patch that applies cleanly on both master and Icehouse and was tested in both environments.

Adding the Havana version of the patch (minor conflict), tested in devstack Havana.

I can confirm that Julie's patch looks good. Thanks for tracking that down.

@michael xin, I'm not sure what company should I credit in this OSSA, your Openstack community profile mention Rackspace, is this still correct ?

Tristan:
Thanks. Please use rackspace. Have a great day.

Michael

Sent from my iPhone

> On May 27, 2014, at 3:48 PM, Tristan Cacqueray <email address hidden> wrote:
>
> @michael xin, I'm not sure what company should I credit in this OSSA,
> your Openstack community profile mention Rackspace, is this still
> correct ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1320235
>
> Title:
> Stored XSS for /admin/users/
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisories:
> Confirmed
>
> Bug description:
> The /admin/users/ page does not output encode users' email addresses
> correctly. Since there is no user input validation for the users'
> email address during creation process. It is possible to inject script
> tag into the email address. This is a stored cross site scripting
> issue.
>
> The issue can be abused to hijack user's session and implant malware,
> etc.
>
>
> For example, attached is a screen copy of Horizon for users with stored XSS in action.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1320235/+subscriptions

Alright, thanks you!

We'll be coordinating a common advisory with the bug https://bugs.launchpad.net/ossa/+bug/1308727 (which you are now subscribed)

Disclosure date is set to:
2014-07-08, 1500UTC

Fix proposed to branch: master
Review: https://review.openstack.org/105476

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/105477

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/105478

Reviewed: https://review.openstack.org/105476
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=de4466d88b816437fb29eff5ab23b9b964cd3985
Submitter: Jenkins
Branch: master

commit de4466d88b816437fb29eff5ab23b9b964cd3985
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

Reviewed: https://review.openstack.org/105477
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=32a7b713468161282f2ea01d5e2faff980d924cd
Submitter: Jenkins
Branch: stable/icehouse

commit 32a7b713468161282f2ea01d5e2faff980d924cd
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

Reviewed: https://review.openstack.org/105478
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=c844bd692894353c60b320005b804970605e910f
Submitter: Jenkins
Branch: stable/havana

commit c844bd692894353c60b320005b804970605e910f
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities

     * Ensure user emails are properly escaped

    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.

    Closes-Bug: #1320235

     * Ensure network names are properly escaped in the Launch Instance menu

    Closes-Bug: #1322197

     * Escape the URLs generated for the Horizon tables

    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.

     * Use 'reverse' to generate the Resource URLs in the stacks tables

    Closes-Bug: #1308727

    Conflicts:
     horizon/tables/base.py
     openstack_dashboard/dashboards/admin/users/tables.py

    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

Mitre looks to be splitting this into two CVE assignments. See: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8578