osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1417762] Re: XSS in network create error reporting


The example in the bug description is just an example. In my
understanding, the point is if you specify an invalid choice which
contains JS code for a choice field the specified value is returned as
part of an error message.

I am not sure how it has a potential risk of XSS. The case here is if an
API user sends a crafted string he receives the crafted string.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1417762

Title:
  XSS in network create error reporting

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The error reporting in Horizon for creating a new network is
  susceptible to a Cross-Site Scripting vulnerability. Example
  request/response:

  Request

  POST /project/networks/create HTTP/1.1
  ...

  csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img
  src=zz
  onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=

  Response

  HTTP/1.1 200 OK
  Date: Tue, 03 Feb 2015 20:42:28 GMT
  Server: Apache/2.4.10 (Debian)
  Vary: Accept-Language,Cookie
  X-Frame-Options: SAMEORIGIN
  Content-Language: en
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/json
  Content-Length: 209

  {"has_errors": true, "errors": {"createnetworkinfoaction":
  {"net_profile_id": ["Select a valid choice. <img src=zz
  onerror=alert(1)> is not one of the available choices."]}},
  "workflow_slug": "create_network"}

  In the above example if the net_profile_id does not exist, the json
  response contains the user input and Horizon echo's it out. Although
  it would be difficult to exploit this vulnerability because an
  attacker would need to manipulate the hidden HTML net_profile_id
  parameter or the POST body, Horizon should still HTML encode the
  output.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1417762/+subscriptions