| 2015-12-04 14:14:14 |
Adam Heczko |
bug |
|
|
added bug |
| 2015-12-04 14:14:57 |
Adam Heczko |
mos: milestone |
|
8.0 |
|
| 2015-12-04 14:15:52 |
Adam Heczko |
mos: importance |
Undecided |
Medium |
|
| 2015-12-04 14:16:13 |
Adam Heczko |
mos: assignee |
|
MOS Horizon (mos-horizon) |
|
| 2015-12-04 14:17:30 |
Adam Heczko |
description |
Observed on:
All Horizon implementations using Django versions prior to 1.7
Problem description:
Http session cookie (Horizon cookie) containing CSRF token is stored on disk for a long period of time.
This makes possible to perform CSRF attack on Horizon when cookie gets revealed/stolen from disk.
Upstream bug report:
https://bugs.launchpad.net/horizon/+bug/1369865
Solution proposal:
- patch Django shipped with MOS
- apply other CSRF preventive actions:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token
https://benjaminhorn.io/code/setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through/ |
Observed on:
All Horizon implementations using Django versions prior to 1.7
Problem description:
Http session cookie (Horizon cookie) containing CSRF token is stored on disk for a long period of time.
This makes possible to perform CSRF attack on Horizon when cookie gets revealed/stolen from disk.
Upstream bug report:
https://bugs.launchpad.net/horizon/+bug/1369865
Solution proposal:
- ensure that we ship MOS with appropriate Django version >=1.7
- patch Django shipped with MOS if older version is used
- apply other CSRF preventive actions:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token
https://benjaminhorn.io/code/setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through/ |
|
| 2015-12-04 14:18:08 |
Adam Heczko |
bug |
|
|
added subscriber Matthew Mosesohn |
| 2015-12-04 14:18:43 |
Adam Heczko |
bug |
|
|
added subscriber Stanislaw Bogatkin |
| 2015-12-04 14:19:07 |
Adam Heczko |
bug |
|
|
added subscriber Dmitry Pyzhov |
| 2015-12-04 14:19:27 |
Adam Heczko |
bug |
|
|
added subscriber Aleksandr Maksimov |
| 2015-12-04 14:19:29 |
Adam Heczko |
removed subscriber Aleksandr Maksimov |
|
|
|
| 2015-12-04 14:19:45 |
Adam Heczko |
bug |
|
|
added subscriber Andrew Maksimov |
| 2015-12-04 14:57:06 |
Adam Heczko |
nominated for series |
|
mos/7.0.x |
|
| 2015-12-04 14:57:06 |
Adam Heczko |
bug task added |
|
mos/7.0.x |
|
| 2015-12-04 14:57:20 |
Adam Heczko |
mos/7.0.x: importance |
Undecided |
Medium |
|
| 2015-12-04 14:57:32 |
Adam Heczko |
mos/7.0.x: assignee |
|
MOS Maintenance (mos-maintenance) |
|
| 2015-12-04 14:57:39 |
Adam Heczko |
mos/7.0.x: milestone |
|
7.0-updates |
|
| 2015-12-08 13:03:05 |
Roman Podoliaka |
mos: status |
New |
Confirmed |
|
| 2015-12-08 13:03:07 |
Roman Podoliaka |
mos/7.0.x: status |
New |
Confirmed |
|
| 2015-12-10 11:21:42 |
Vitaly Sedelnik |
mos/7.0.x: status |
Confirmed |
Won't Fix |
|
| 2015-12-11 09:44:18 |
Timur Sufiev |
tags |
|
horizon |
|
| 2015-12-11 09:55:46 |
Adam Heczko |
nominated for series |
|
mos/6.0.x |
|
| 2015-12-11 09:55:46 |
Adam Heczko |
bug task added |
|
mos/6.0.x |
|
| 2015-12-11 09:55:46 |
Adam Heczko |
nominated for series |
|
mos/5.1.x |
|
| 2015-12-11 09:55:46 |
Adam Heczko |
bug task added |
|
mos/5.1.x |
|
| 2015-12-11 09:55:46 |
Adam Heczko |
nominated for series |
|
mos/6.1.x |
|
| 2015-12-11 09:55:46 |
Adam Heczko |
bug task added |
|
mos/6.1.x |
|
| 2015-12-11 09:56:17 |
Adam Heczko |
mos/5.1.x: status |
New |
Won't Fix |
|
| 2015-12-11 09:56:21 |
Adam Heczko |
mos/6.0.x: status |
New |
Won't Fix |
|
| 2015-12-11 09:56:25 |
Adam Heczko |
mos/6.1.x: status |
New |
Won't Fix |
|
| 2015-12-11 09:56:36 |
Adam Heczko |
mos/5.1.x: milestone |
|
5.1.1-mu-3 |
|
| 2015-12-11 09:56:41 |
Adam Heczko |
mos/6.0.x: milestone |
|
6.0-mu-8 |
|
| 2015-12-11 09:56:49 |
Adam Heczko |
mos/6.1.x: milestone |
|
6.1-mu-5 |
|
| 2015-12-11 09:56:59 |
Adam Heczko |
mos/5.1.x: importance |
Undecided |
Medium |
|
| 2015-12-11 09:57:03 |
Adam Heczko |
mos/6.0.x: importance |
Undecided |
Medium |
|
| 2015-12-11 09:57:07 |
Adam Heczko |
mos/6.1.x: importance |
Undecided |
Medium |
|
| 2015-12-11 09:58:39 |
Adam Heczko |
mos/6.1.x: milestone |
6.1-mu-5 |
6.1-updates |
|
| 2015-12-11 09:58:44 |
Adam Heczko |
mos/6.0.x: milestone |
6.0-mu-8 |
6.0-updates |
|
| 2015-12-11 09:58:50 |
Adam Heczko |
mos/5.1.x: milestone |
5.1.1-mu-3 |
5.1.1-updates |
|
| 2015-12-14 11:16:00 |
Timur Sufiev |
mos: assignee |
MOS Horizon (mos-horizon) |
Timur Sufiev (tsufiev-x) |
|
| 2015-12-14 13:51:18 |
Timur Sufiev |
mos: status |
Confirmed |
Fix Committed |
|
| 2015-12-15 02:20:27 |
Adam Heczko |
information type |
Private Security |
Public Security |
|
| 2015-12-23 10:53:16 |
Adam Heczko |
mos: importance |
Medium |
High |
|
| 2015-12-23 10:53:28 |
Adam Heczko |
mos: status |
Fix Committed |
Confirmed |
|
| 2015-12-23 11:44:01 |
Paul Karikh |
mos: status |
Confirmed |
In Progress |
|
| 2015-12-23 11:44:05 |
Paul Karikh |
mos: assignee |
Timur Sufiev (tsufiev-x) |
Paul Karikh (pkarikh) |
|
| 2015-12-23 21:52:54 |
Timur Sufiev |
mos: status |
In Progress |
Fix Committed |
|
| 2016-01-25 13:30:47 |
Anastasia Kuznetsova |
tags |
horizon |
area-horizon |
|
| 2016-02-12 15:04:43 |
Alexander Petrov |
mos: status |
Fix Committed |
Fix Released |
|
