OSSN/OSSN-0073

Summary
When horizon is configured, its URL contains the IP address of the internal URL of keystone, as the default value for the identity service is "internalURL".[1]

The cookie "login_region" will be set to the value configured as OPENSTACK_KEYSTONE_URL, given in the local_settings.py file.

Usually, the `OPENSTACK_KEYSTONE_URL` is the publicURL, and hence the cookie URL will also be the public one. If set to internal URL (by default), then the login cookie URL will be the internal URL or IP. So, by putting the `OPENSTACK_KEYSTONE_URL` in the cookie that is sent to the public network, horizon leaks the values of the internal network IP address.

Affected Services / Software
Horizon

Discussion
This is not a bug in horizon, but a possible misconfiguration issue.

Exposing the internal URL is not a bug, since one can view the internal URL as it's a freely accessible endpoint to authorized users, or it's hidden behind a firewall. Also, the data for internal URLs are freely available in the catalog and the catalog is not considered private information.

Contacts / References
Author: Khanak Nangia, Intel

This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073

Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831

Related bug : https://bugs.launchpad.net/horizon/+bug/1597864

OpenStack Security ML : openstack-dev@lists.openstack.org

OpenStack Security Group : https://launchpad.net/~openstack-ossg

[1]: http://docs.openstack.org/developer/horizon/topics/settings.html