OpenStack Security Advisory

Bug #1567673
Comment #20

Comment 20 for bug 1567673

Revision history for this message

David Lyle (david-lyle) wrote on 2016-05-09: Re: [Bug 1567673] Re: Possible client side template injection in horizon

#20

I'm good with the patch in comment #15.

On Mon, May 9, 2016 at 9:50 AM, Tristan Cacqueray <email address hidden> wrote:
> This could probably be fixed in the open, any concern if we switch this
> bug report to public ?
>
> OSSG-coresec is now subscribed too.
>
> --
> You received this bug notification because you are a member of Horizon
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Confirmed
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions

I'm good with the patch in comment #15.

On Mon, May 9, 2016 at 9:50 AM, Tristan Cacqueray <tdecacqu@redhat.com> wrote:
> This could probably be fixed in the open, any concern if we switch this
> bug report to public ?
>
> OSSG-coresec is now subscribed too.
>
> --
> You received this bug notification because you are a member of Horizon
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
>   Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
>   Confirmed
> Status in OpenStack Security Advisory:
>   Confirmed
>
> Bug description:
>   This issue is being treated as a potential security risk under
>   embargo. Please do not make any public mention of embargoed (private)
>   security vulnerabilities before their coordinated publication by the
>   OpenStack Vulnerability Management Team in the form of an official
>   OpenStack Security Advisory. This includes discussion of the bug or
>   associated fixes in public forums such as mailing lists, code review
>   systems and bug trackers. Please also avoid private disclosure to
>   other individuals not already approved for access to this information,
>   and provide this same reminder to those who are made aware of the
>   issue prior to publication. All discussion should remain confined to
>   this private bug report, and any proposed fixes should be added to the
>   bug as attachments.
>
>   --
>
>   I'm working through my groups process to deploy a new web app so that
>   we can provide openstack in our production environment. Part of that
>   process is having an authenticated security scan done by Acunetix.
>
>   I've attached a screenshot of the report for the alert received during
>   the scan.
>
>   Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
>   or not.
>
>   Quick research found the following link which talks about the issue in
>   general: http://blog.portswigger.net/2016/01/xss-without-html-client-
>   side-template.html
>
>   Any input would be greatly appreciated.
>
>   Thanks!
>   Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions