21b261eccd
Added information about horizon dashboard leaks Change-Id: I4c5e8803758ac37b941bf50da7692ef09e2f6f57
40 lines
1.6 KiB
Plaintext
40 lines
1.6 KiB
Plaintext
Horizon dashboard leaks internal information through cookies
|
||
---
|
||
|
||
### Summary ###
|
||
When horizon is configured, its URL contains the IP address of
|
||
the internal URL of keystone, as the default value for the identity
|
||
service is "internalURL".[1]
|
||
|
||
The cookie "login_region" will be set to the value configured as
|
||
OPENSTACK_KEYSTONE_URL, given in the local_settings.py file.
|
||
|
||
Usually, the OPENSTACK_KEYSTONE_URL is the publicURL, and hence
|
||
the cookie URL will also be the public one. If set to internal URL
|
||
(by default), then the login cookie URL will be the internal URL or IP.
|
||
So, by putting the OPENSTACK_KEYSTONE_URL in the cookie that is sent to
|
||
the public network, horizon leaks the values of the internal network IP
|
||
address.
|
||
|
||
### Affected Services and Software ###
|
||
horizon
|
||
|
||
### Discussion ###
|
||
This is not a bug in horizon, but a possible misconfiguration issue.
|
||
|
||
Exposing the internal URL is not a bug, since one can view the internal
|
||
URL as it's a freely accessible endpoint to authorized users, or
|
||
it's hidden behind a firewall. Also, the data for internal URLs are
|
||
freely available in the catalog and the catalog is not considered
|
||
private information.
|
||
|
||
### Contacts / References ###
|
||
Author: Khanak Nangia, Intel
|
||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0073
|
||
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1585831
|
||
Related bug : https://bugs.launchpad.net/horizon/+bug/1597864
|
||
OpenStack Security ML : openstack-dev@lists.openstack.org
|
||
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||
|
||
[1]: http://docs.openstack.org/developer/horizon/topics/settings.html
|