I've made this report public. For now the OpenStack VMT is considering it a security hardening opportunity (class D report), so no corresponding advisory publication is planned but fixing is still encouraged of course: https://security.openstack.org/vmt-process.html #incident-report-taxonomy
** Description changed: - This issue is being treated as a potential security risk under - embargo. Please do not make any public mention of embargoed - (private) security vulnerabilities before their coordinated - publication by the OpenStack Vulnerability Management Team in the - form of an official OpenStack Security Advisory. This includes - discussion of the bug or associated fixes in public forums such as - mailing lists, code review systems and bug trackers. Please also - avoid private disclosure to other individuals not already approved - for access to this information, and provide this same reminder to - those who are made aware of the issue prior to publication. All - discussion should remain confined to this private bug report, and - any proposed fixes should be added to the bug as attachments. This - embargo shall not extend past 2021-01-02 and will be made - public by or on that date even if no fix is identified. - Impact: An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust Recommendation: It is recommended not to take user input and reflect to the webpage via parameter. It would a better option if these contents can be hardcoded into the codebase. Affected Parameter: csrf_failure POC: Navigate to https://SAMPLE.com/auth/login/?csrf_failure=HI,%20THE%20CONTENT%20IS%20HIJACKED%20PLEASE%20VISIT%20EVIL.COM The malicious content will get injection into the web-page. ** Information type changed from Private Security to Public ** Tags added: security ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1898465 Title: In Openstack Horizon component it was observed that the application is taking input from URL and reflecting it into the webpage Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisory: Won't Fix Bug description: Impact: An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust Recommendation: It is recommended not to take user input and reflect to the webpage via parameter. It would a better option if these contents can be hardcoded into the codebase. Affected Parameter: csrf_failure POC: Navigate to https://SAMPLE.com/auth/login/?csrf_failure=HI,%20THE%20CONTENT%20IS%20HIJACKED%20PLEASE%20VISIT%20EVIL.COM The malicious content will get injection into the web-page. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1898465/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
