XSS in adding JavaScript into the ‘Subnet Name’ field

Bug #1892848 reported by James Hill
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Incomplete
Undecided
Ivan Kolodyazhny
OpenStack Security Advisory
Incomplete
Undecided
Unassigned

Bug Description

While testing v3.10 for a client, I found that there was Persistent XSS.

This was performed by creating a network and then entering javascript into the subnet name. The user would then have to attach the network interface with the javascript present to an instance. After this when a user created a network bridge then the javascript would run.

I only had one account when performing this test but believe it would run when other users where logged in using the same instance and network interface.

-----------------------------------
Release: 0.0.1.dev215 on 2020-06-16 21:33:43
SHA: fbfe127c87f2e860efa7806eb9f6d6847d56ba07
Source: https://opendev.org/openstack/ossa/src/doc/source/ossa/OSSA-2014-023.rst
URL: https://security.openstack.org/ossa/OSSA-2014-023.html

CVE References

Revision history for this message
James Hill (jhill88) wrote :
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

Apologies for letting this slip through the cracks for a month, I seem to have missed the initial notification for it. I'm hoping the Horizon security reviewers I've subscribed can pin down the version information from your report a bit more... there is no 3.10 tagged for the Horizon project (versioning skipped from 2015.1.4 in the Kilo release to 8.0.0 for the Liberty release). Neither can I find the fbfe127c87f2e860efa7806eb9f6d6847d56ba07 commit you referenced, nor am I sure why you included a link to an advisory we published in 2014.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Dorina Timbur also reported this more recently. Quoting from the duplicate bug:

"As part of a penetration test done by a third party on a customer environment, it was found that by adding JavaScript into the ‘Subnet Name’ field, the JavaScript would trigger when adding the network to an instance and then loading a network trunk. The user needs permissions to create a network and edit an instance for this to trigger. See attached screenshots for more details. This is susceptible to a Cross-Site Scripting (XSS) vulnerability."

summary: - Persistent XSS found in the horizon dashboard v3.10
+ XSS in adding JavaScript into the ‘Subnet Name’ field
Ivan Kolodyazhny (e0ne)
Changed in horizon:
assignee: nobody → Ivan Kolodyazhny (e0ne)
Revision history for this message
Jeremy Stanley (fungi) wrote :

The embargo for this bug has expired, so I'm making it public now in hopes of getting more visibility/progress from the community.

description: updated
information type: Private Security → Public Security
Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

@James, Hi I and tatina from the horizon team tried to reproduce this bug on the master branch but not succeed. Could you add more info. about the steps how to reproduce it?

Changed in horizon:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

This report seems very similar to https://security.openstack.org/ossa/OSSA-2014-023.html (CVE-2014-3474), which was fixed in Horizon's Juno release (2014.2) and backported to Icehouse (in 2014.1.2), and Havana (in 2013.2.4). Without a clear statement of which version the reporter found this in and no reproduction steps provided, I'm going to assume this is a duplicate of bug 1322197 and mark it as such. We can split the bugs again if the reporter or someone else comes along with more actionable information.

Changed in ossa:
status: Incomplete → Invalid
Revision history for this message
Jeremy Stanley (fungi) wrote :

Actually, when starting to mark this as a duplicate, I noticed that there was another report set as a duplicate of this one in Private Security state. Because it was set as a duplicate it didn't show up in our usual queries and so we missed switching it to Public Security when its embargo was set to expire in January.

Vishal: can you have a quick look at bug 1900872 and see if the screenshot examples there provide sufficient context to reproduce the behavior and/or identify potentially affected versions?

Changed in ossa:
status: Invalid → Incomplete
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.