Jump to: navigation, search

OSSN/OSSN-0073

< OSSN
Revision as of 21:23, 17 August 2016 by Khanak.nangia (talk | contribs) (Created page with "'''Horizon dashboard leaks internal information through cookies'''<big><big>Big text</big></big> '''Summary'''<big>Big text</big> When horizon is configured, its URL contain...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Horizon dashboard leaks internal information through cookiesBig text

SummaryBig text

When horizon is configured, its URL contains the IP address of the internal URL of keystone. If the internal network is different than the public network, the IP address of the internal network will be displayed by the horizon, which can expose sensitive information - internal IP address. The cookie "login_region" will be set to the value configured as OPENSTACK_KEYSTONE_URL.

Affected ServicesBig text

Keystone, Horizon

DiscussionBig text This seems to be a misconfiguration issue, instead of a real bug. Exposing the internalURL is not a bug either way, one views the internalURL, either it's a freely accessible endpoint to authorized users, or it's hidden behind a firewall. Also, the data for internal URLs are freely available in the catalog and the catalog is not considered private information.


Contacts / ReferenceBig text

Author: Khanak Nangia, Intel This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831 Related bug : https://bugs.launchpad.net/horizon/+bug/1597864 OpenStack Security ML : openstack-dev@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg

Retrieved from "https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0073&oldid=131330"