ajaxterm/qweb.py facilitates arbitrary code execution

Adding PTL and markmc (as it may impact soon-to-be-released 2011.3.1)

Working on checking how exploitable this is, but at first glance I'd agree that this qweb.py is pretty weak.

Also see bug 787094

This doesn't look directly exploitable (without ability for attacker to create /tmp/qweb_sess_XXXX files) but I would agree that:

* At the very minimum, session files should be created in a different (non world-writeable) session directory
* qweb.py, and by extension ajaxterm, looks like a pretty weak piece of code (and not just in terms of security). If NoVNC really obsoletes it, we should get rid of it
* In all cases we shouldn't copy/ship ajaxterm code in Nova (bug 787094)

markmc, Vish: thoughts ?

Don't think it's worth holding 2011.3.1 up for this, especially given that we don't have a fix yet.

Isn't the fix as simple as removing ajaxterm?

For the release under development, that's definitely an option (I would just like to make sure we can point people to a complete replacement).

But as a stable update to an already-released version (Diablo) that's not really an option, as it could potentially break functionality that some people rely on.

It's worth pointing out that upstream ajaxterm is basically abandoned and has had open CVEs for a while... Are we at least using the patched Debian version that somewhat fixes the session predictability problem?

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1629

Yeah, our version uses server-side session ID so it's not affected. Trying to get some nova-core advice on whether we can easily get rid of it.

Now that we have functional vnc, I have no problem killing it.

I'll have a try at removing it. Are we all OK about making this bug public ?

Proposed patch.
Should I start a thread on the ML before pushing this ?

I've got no objections to making it public. Ajaxterm is known broken, and while I think some hacking could probably produce an exploit, I haven't done so, and anyone who looks at the code should be able to figure out the same thing.

Discussed with vishy, sounds like a better idea to remove it post-E3, rather than breaking packagers expectations just before.

Opening. Note that this only affects packaging that uses the bundled ajaxterm (Ubuntu uses the packaged one, for example)

Will propose once the dust settles on the dead wood thread on the ML

Vishy had assigned the blueprint to me.

Reassigning it to you - I had taken a pass at doing the same thing as your patch.

Looking forward to it landing.

Fix proposed to branch: master
Review: https://review.openstack.org/3850

Reviewed: https://review.openstack.org/3850
Committed: http://github.com/openstack/nova/commit/71410724cd1516608ee58c37077bf9080da38de2
Submitter: Jenkins
Branch: master

commit 71410724cd1516608ee58c37077bf9080da38de2
Author: Thierry Carrez <email address hidden>
Date: Tue Feb 7 16:37:34 2012 +0100

    Remove ajaxterm from Nova

    Removes copy of ajaxterm code, nova-ajax-console-proxy,
    and support for get_ajax_console from Nova proper.

    Implements blueprint remove-ajaxterm
    Fixes bug 917963

    Change-Id: I2c0ff427c53c0f63a18b10475d6b4cbe9a085d83