OpenStack Security Advisory

Bug #1567673
Comment #27

Comment 27 for bug 1567673

Revision history for this message

Brandon Sawyers (brandor5) wrote on 2016-05-12: Re: [Bug 1567673] Re: Possible client side template injection in horizon

#27

Would it be possible to add Beth Lancaster as the discoverer of the bug as
well? We work for Virginia Tech.

Also, thank all of you for your help with this issue. 😃 We appreciate it a
lot.

Thanks,
Brandon

On Thu, May 12, 2016, 16:26 Travis McPeak <email address hidden> wrote:

> I believe we've ratholed here before, and not meaning to kick up dust,
> but the "affects" is confusing. Is there any way we can make versions
> more clear? If not, no worries.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
> Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisory:
> Triaged
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> I'm working through my groups process to deploy a new web app so that
> we can provide openstack in our production environment. Part of that
> process is having an authenticated security scan done by Acunetix.
>
> I've attached a screenshot of the report for the alert received during
> the scan.
>
> Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
> or not.
>
> Quick research found the following link which talks about the issue in
> general: http://blog.portswigger.net/2016/01/xss-without-html-client-
> side-template.html
>
> Any input would be greatly appreciated.
>
> Thanks!
> Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions
>

Would it be possible to add Beth Lancaster as the discoverer of the bug as
well? We work for Virginia Tech.

Also, thank all of you for your help with this issue. 😃 We appreciate it a
lot.

Thanks,
Brandon

On Thu, May 12, 2016, 16:26 Travis McPeak <tmcpeak@us.ibm.com> wrote:

> I believe we've ratholed here before, and not meaning to kick up dust,
> but the "affects" is confusing.  Is there any way we can make versions
> more clear?  If not, no worries.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567673
>
> Title:
>   Possible client side template injection in horizon
>
> Status in OpenStack Dashboard (Horizon):
>   Confirmed
> Status in OpenStack Security Advisory:
>   Triaged
>
> Bug description:
>   This issue is being treated as a potential security risk under
>   embargo. Please do not make any public mention of embargoed (private)
>   security vulnerabilities before their coordinated publication by the
>   OpenStack Vulnerability Management Team in the form of an official
>   OpenStack Security Advisory. This includes discussion of the bug or
>   associated fixes in public forums such as mailing lists, code review
>   systems and bug trackers. Please also avoid private disclosure to
>   other individuals not already approved for access to this information,
>   and provide this same reminder to those who are made aware of the
>   issue prior to publication. All discussion should remain confined to
>   this private bug report, and any proposed fixes should be added to the
>   bug as attachments.
>
>   --
>
>   I'm working through my groups process to deploy a new web app so that
>   we can provide openstack in our production environment. Part of that
>   process is having an authenticated security scan done by Acunetix.
>
>   I've attached a screenshot of the report for the alert received during
>   the scan.
>
>   Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
>   or not.
>
>   Quick research found the following link which talks about the issue in
>   general: http://blog.portswigger.net/2016/01/xss-without-html-client-
>   side-template.html
>
>   Any input would be greatly appreciated.
>
>   Thanks!
>   Brandon
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions
>