[Fiware-lab-federation-nodes] Fwd: [Openstack] [OSSN-0073] Horizon dashboard leaks internal information through cookies

Federico Michele Facca federico.facca at martel-innovate.com
Fri Sep 9 19:49:50 CEST 2016 

in case any of you also runs the Horizon dashboard.

federico
Dr. Federico Michele Facca
Head of Martel Lab

Martel Innovate
Dorfstrasse 73 - 3073 Gümligen (Switzerland)
0041 78 807 58 38
0041 31 994 25 25
martel-innovate.com <http://martel-innovate.com/>

> Begin forwarded message:
> 
> From: Luke Hinds <lhinds at redhat.com>
> Subject: [Openstack] [OSSN-0073] Horizon dashboard leaks internal information through cookies
> Date: 8 September 2016 at 22:38:17 GMT+2
> To: openstack at lists.openstack.org, openstack-dev at lists.openstack.org
> 
> Horizon dashboard leaks internal information through cookies
> ---
> 
> ### Summary ###
> When horizon is configured, its URL contains the IP address of
> the internal URL of keystone, as the default value for the identity
> service is "internalURL".[1]
> 
> The cookie "login_region" will be set to the value configured as
> OPENSTACK_KEYSTONE_URL, given in the local_settings.py file.
> 
> Usually, the OPENSTACK_KEYSTONE_URL is the publicURL, and hence the
> cookie URL will also be the public one. If set to internal URL (by
> default), then the login cookie URL will be the internal URL or IP. So,
> by putting the OPENSTACK_KEYSTONE_URL in the cookie that is sent to
> the public network, horizon leaks the values of the internal network IP
> address.
> 
> ### Affected Services and Software ###
> Horizon
> 
> ### Discussion ###
> This is not a bug in horizon, but a possible misconfiguration issue.
> 
> Exposing the internal URL is not a bug, since one can view the internal
> URL as it's a freely accessible endpoint to authorized users, or it's
> hidden behind a firewall. Also, the data for internal URLs are freely
> available in the catalog and the catalog is not considered private
> information.
> 
> ### Contacts / References ###
> Author: Khanak Nangia, Intel
> This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073
> Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831
> Related bug : https://bugs.launchpad.net/horizon/+bug/1597864
> OpenStack Security ML : openstack-dev at lists.openstack.org
> OpenStack Security Group : https://launchpad.net/~openstack-ossg
> [1]: http://docs.openstack.org/developer/horizon/topics/settings.html
> ______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20160909/70546e32/attachment.html>

More information about the Fiware-lab-federation-nodes mailing list

You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy   Cookies policy