openstack-secaudit

Possible client side template injection in horizon login screen

Bug #1717542 reported by Martin Ivanov
30
This bug affects 7 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned
openstack-secaudit
New
Undecided
Unassigned

Bug Description

We got indication from security auditing scan, that login page (/dashboard/auth/login)
is still vulnerable for below problem, reported on Horizon/ocata, version 10.0.0.0.

Seems same as below bug, just it didn't fix the issue for the login screen.
https://bugs.launchpad.net/horizon/+bug/1567673

More information for he problem:
AngularJS client-side template injection vulnerability.

http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

This web application is vulnerable to AngularJS client-side template injection vulnerability. AngularJS client-side template injection vulnerabilities occur when user-input is dynamically embedded on a page where AngularJS client-side templating is used. By using curly braces it's possible to inject AngularJS expressions in the AngularJS client-side template that is being used by the application.These expressions will be evaluated on the client-side by AngularJS and when combined with a sandbox escape they allow an attacker to execute arbitrary JavaScript code.

An attacker can inject AngularJS expressions that will be evaluated on the client-side. Normally AngularJS expressions are not very dangerous, but when combined with a sandbox escape they allow an attacker to execute arbitrary JavaScript code.

Gary W. Smith (gary-w-smith)
affects: horizon → openstack-secaudit
Changed in horizon:
importance: Undecided → Critical
Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Let's not mark importance until its confirmed please :)

Changed in horizon:
importance: Critical → Undecided
Revision history for this message
David Lyle (david-lyle) wrote :

If you believe you have encounter a security issue, please mark it as such and don't mark as public.

That said, I believe this is indeed addressed in the comments on the linked fixed issue: https://bugs.launchpad.net/horizon/+bug/1567673 as the escape sequence is not the default. The results of any automated checker should be double checked. If you can provide more details and information that there is indeed still an issue, please update.

Changed in horizon:
status: New → Incomplete
Revision history for this message
Martin Ivanov (martin76) wrote :

Here are more details from the auditing scan.

Details
URL encoded POST input next was set to /dashboard/9voye{{1==1}}cns7e.
The input was reflected inside an AngularJS template

POST /dashboard/auth/login/ HTTP/1.1
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
Referer: https://10.3.199.109
Cookie: csrftoken=ULqDeIIm2VZnsOcUz5MdYityXbygIGJZ; token=; login_region="https://vCPEManager:5000/v3"; login_domain=
Host: 10.3.199.109
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
csrfmiddlewaretoken=ULqDeIIm2VZnsOcUz5MdYityXbygIGJZ&fake_email=sample%40email.tst&fake_password=g00dPa%24%24w0rD&next=/das
hboard/9voye{{1==1}}cns7e&password=g00dPa%24%24w0rD&region=https://vCPEManager:5000/v3&username=ktjeylhq

Martin Ivanov (martin76)
Changed in horizon:
status: Incomplete → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.