Source: horizon Version: 2014.1.2-2 Severity: important Tags: security patch
Title: Persistent XSS in Horizon Host Aggregates interface Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum) Products: Horizon Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.2 Description: Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum reported a persistent XSS in Horizon. A malicious administrator may conduct a persistent XSS attack by registering a malicious host aggregate in Horizon Host Aggregate interface. Once executed in a legitimate context this attack may reveal another admin token, potentially resulting in a lateral privilege escalation. All Horizon setups are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/havana, stable/icehouse and master (Juno development branch) on the public disclosure date. CVE: CVE-2014-3594 >From 22edde980e0fb2238a62845bcd6922b39506b67b Mon Sep 17 00:00:00 2001 From: Julie Pichon <[email protected]> Date: Tue, 29 Jul 2014 16:17:44 +0100 Subject: [PATCH] Fix XSS issue with the unordered_list filter When using the unordered_list filter in a Horizon table (as opposed to a template directly), autoescaping is not set by default and the input wasn't sanitised. Closes-Bug: #1349491 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec --- openstack_dashboard/dashboards/admin/aggregates/tables.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/openstack_dashboard/dashboards/admin/aggregates/tables.py b/openstack_dashboard/dashboards/admin/aggregates/tables.py index 4f2c9aa..a6277f6 100644 --- a/openstack_dashboard/dashboards/admin/aggregates/tables.py +++ b/openstack_dashboard/dashboards/admin/aggregates/tables.py @@ -98,6 +98,10 @@ def get_zone_hosts(zone): return host_details +def safe_unordered_list(value): + return filters.unordered_list(value, autoescape=True) + + class HostAggregatesTable(tables.DataTable): name = tables.Column('name', verbose_name=_('Name')) availability_zone = tables.Column('availability_zone', @@ -105,11 +109,11 @@ class HostAggregatesTable(tables.DataTable): hosts = tables.Column(get_aggregate_hosts, verbose_name=_("Hosts"), wrap_list=True, - filters=(filters.unordered_list,)) + filters=(safe_unordered_list,)) metadata = tables.Column(get_metadata, verbose_name=_("Metadata"), wrap_list=True, - filters=(filters.unordered_list,)) + filters=(safe_unordered_list,)) class Meta: name = "host_aggregates" @@ -128,7 +132,7 @@ class AvailabilityZonesTable(tables.DataTable): hosts = tables.Column(get_zone_hosts, verbose_name=_('Hosts'), wrap_list=True, - filters=(filters.unordered_list,)) + filters=(safe_unordered_list,)) available = tables.Column(get_available, verbose_name=_('Available'), status=True, status=True, -- 1.9.3 _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
