OpenStack Object Storage (swift)

a Flash cross-domain policy which allows access from any domain.

Bug #2016278 reported by Rishabh yadav on 2023-04-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	New	Undecided	Unassigned

Bug Description

Severity: High
Confidence: Certain
Host: https://fa-eumz-saasfaprod1.fa.ocs.oraclecloud.com
Path: /crossdomain.xml
Issue detail
The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk
Vulnerability classifications
• CWE-942: Overly Permissive Cross-domain Whitelist

Tags:

Revision history for this message

Rishabh yadav (hackerbotyadav) wrote on 2023-04-14:

quessscan.htm Edit (103.8 KiB, text/plain)

Revision history for this message

Tim Burke (1-tim-z) wrote on 2023-04-18:

Thank you for your report!

Swift provides operators with the ability to configure the policy they like, including returning a client error (effectively disabling cross-domain access). For more information, see https://docs.openstack.org/swift/latest/middleware.html#module-swift.common.middleware.crossdomain

Thinking of Swift generally:

The crossdomain middleware is disabled by default. Operators need to explicitly configure it, or all requests to the /crossdomain.xml path will receive a client error.

If enabled, the crossdomain middleware is very permissive by default. This stems from it origin and continued use as a public cloud platform, where a permissive policy is appropriate. We may want to highlight the permissiveness of the default in docs.

As to the specific concern reported, this seems like something to take to Oracle -- though I would expect that, as a public cloud provider, they may well *want* a permissive policy.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2023-04-27:

If this were to change in Swift, I get the impression it would only change for new releases from the master branch and not get backported to older stable release branches, so it's not something we'd issue a security advisory about. However, since this report discloses a potential vulnerability in Oracle Cloud, I'm hesitant to switch it to public without some confirmation that doing so won't expose them to additional risk.

Was this problem also disclosed to the Oracle Cloud admins? If so, when were they notified and did they express concern or provide a timeline to address it in their deployment?

Revision history for this message

Jeremy Stanley (fungi) wrote on 2023-05-02:

Note that we normally impose a 90 day maximum embargo period for privately reported bugs, which means we shouldn't keep this private past 2023-07-13 even if we've heard no further response from the reporter in that time.

Revision history for this message

Tim Burke (1-tim-z) wrote on 2023-08-23:

We still haven't heard any response, and I'm not convinced Swift needs any code changes as the endpoint is disabled by default. We have updated our documentation to call out the permissiveness of the default policy, highlight that it may not be appropriate for all deployments, and link to CWE-942. I think we can make this public now, and close it as invalid.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2023-08-23:

Thanks for revisiting this, Tim. I've switched the report to public now, but I'll leave it to you to set the switch bugtask to invalid.

information type:

Private Security → Public