|
|
Line 1: |
Line 1: |
− | '''Horizon dashboard leaks internal information through cookies'''<big><big>Big text</big></big>
| + | removed until merged |
− | | |
− | '''Summary'''<big>Big text</big>
| |
− | | |
− | When horizon is configured, its URL contains the IP address of the internal URL of keystone. If the internal network is different than the public network, the IP address of the internal network will be displayed by the horizon, which can expose sensitive information - internal IP address.
| |
− | The cookie "login_region" will be set to the value configured as OPENSTACK_KEYSTONE_URL.
| |
− | | |
− | '''Affected Services'''<big>Big text</big>
| |
− | | |
− | Keystone, Horizon
| |
− | | |
− | '''Discussion'''<big>Big text</big>
| |
− | This seems to be a misconfiguration issue, instead of a real bug.
| |
− | Exposing the internalURL is not a bug either way, one views the internalURL, either it's a freely accessible endpoint to authorized users, or it's hidden behind a firewall. Also, the data for internal URLs are freely available in the catalog and the catalog is not considered private information.
| |
− | | |
− | | |
− | '''Contacts / Reference'''<big>Big text</big>
| |
− | | |
− | Author: Khanak Nangia, Intel
| |
− | This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073
| |
− | Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831
| |
− | Related bug : https://bugs.launchpad.net/horizon/+bug/1597864
| |
− | OpenStack Security ML : openstack-dev@lists.openstack.org
| |
− | OpenStack Security Group : https://launchpad.net/~openstack-ossg
| |