Difference between revisions of "OSSN/OSSN-0073"
m |
|||
Line 11: | Line 11: | ||
OPENSTACK_KEYSTONE_URL, given in the local_settings.py file. | OPENSTACK_KEYSTONE_URL, given in the local_settings.py file. | ||
− | Usually, the OPENSTACK_KEYSTONE_URL is the publicURL, and hence | + | Usually, the `OPENSTACK_KEYSTONE_URL` is the publicURL, and hence |
the cookie URL will also be the public one. If set to internal URL | the cookie URL will also be the public one. If set to internal URL | ||
(by default), then the login cookie URL will be the internal URL or IP. | (by default), then the login cookie URL will be the internal URL or IP. | ||
− | So, by putting the OPENSTACK_KEYSTONE_URL in the cookie that is sent to | + | So, by putting the `OPENSTACK_KEYSTONE_URL` in the cookie that is sent to |
the public network, horizon leaks the values of the internal network IP | the public network, horizon leaks the values of the internal network IP | ||
address. | address. | ||
Line 32: | Line 32: | ||
==== Contacts / References ==== | ==== Contacts / References ==== | ||
Author: Khanak Nangia, Intel | Author: Khanak Nangia, Intel | ||
+ | |||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073 | This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073 | ||
+ | |||
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831 | Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831 | ||
+ | |||
Related bug : https://bugs.launchpad.net/horizon/+bug/1597864 | Related bug : https://bugs.launchpad.net/horizon/+bug/1597864 | ||
+ | |||
OpenStack Security ML : openstack-dev@lists.openstack.org | OpenStack Security ML : openstack-dev@lists.openstack.org | ||
+ | |||
OpenStack Security Group : https://launchpad.net/~openstack-ossg | OpenStack Security Group : https://launchpad.net/~openstack-ossg | ||
+ | |||
[1]: http://docs.openstack.org/developer/horizon/topics/settings.html | [1]: http://docs.openstack.org/developer/horizon/topics/settings.html |
Latest revision as of 08:10, 15 September 2016
Horizon dashboard leaks internal information through cookies
Summary
When horizon is configured, its URL contains the IP address of the internal URL of keystone, as the default value for the identity service is "internalURL".[1]
The cookie "login_region" will be set to the value configured as OPENSTACK_KEYSTONE_URL, given in the local_settings.py file.
Usually, the `OPENSTACK_KEYSTONE_URL` is the publicURL, and hence the cookie URL will also be the public one. If set to internal URL (by default), then the login cookie URL will be the internal URL or IP. So, by putting the `OPENSTACK_KEYSTONE_URL` in the cookie that is sent to the public network, horizon leaks the values of the internal network IP address.
Affected Services / Software
Horizon
Discussion
This is not a bug in horizon, but a possible misconfiguration issue.
Exposing the internal URL is not a bug, since one can view the internal URL as it's a freely accessible endpoint to authorized users, or it's hidden behind a firewall. Also, the data for internal URLs are freely available in the catalog and the catalog is not considered private information.
Contacts / References
Author: Khanak Nangia, Intel
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831
Related bug : https://bugs.launchpad.net/horizon/+bug/1597864
OpenStack Security ML : openstack-dev@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
[1]: http://docs.openstack.org/developer/horizon/topics/settings.html