Wednesday, 2018-05-30

« Tuesday, 2018-05-29 Index Thursday, 2018-05-31 »
*** jamespage has quit IRC00:04
*** zul has quit IRC00:04
*** Guest9435_ has joined #openstack-security00:04
*** nicolasbock has quit IRC00:06
*** Guest9435 has quit IRC00:06
*** zigo has quit IRC00:06
*** zigo_ has joined #openstack-security00:06
*** ChanServ has quit IRC00:12
*** jamespage has joined #openstack-security00:15
*** zul has joined #openstack-security00:16
*** ChanServ has joined #openstack-security00:33
*** barjavel.freenode.net sets mode: +o ChanServ00:33
*** atoth has quit IRC00:35
*** gianpietro has joined #openstack-security00:39
*** nicolasbock has joined #openstack-security00:40
*** chyka has joined #openstack-security01:03
*** chyka has quit IRC01:08
*** jamespage has quit IRC01:30
*** gyee has quit IRC01:31
*** jamespage has joined #openstack-security01:44
*** markvoelker_ has quit IRC02:45
tristanCgianpietro: isn't this fixed by https://bugs.launchpad.net/horizon/+bug/1567673 ?02:53
openstackLaunchpad bug 1567673 in OpenStack Dashboard (Horizon) "[OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428)" [Critical,Fix released] - Assigned to Tristan Cacqueray (tristan-cacqueray)02:53
*** dikonoor has joined #openstack-security03:29
*** markvoelker has joined #openstack-security03:35
*** markvoelker has quit IRC03:39
*** nicolasbock has quit IRC03:55
*** markvoelker has joined #openstack-security04:29
*** gianpietro has quit IRC04:32
*** gianpietro has joined #openstack-security04:32
gianpietrotristanC: it seems the login form is still vulnerable, he says he was able to (1) create a new parameter called 'next' and give it the value 'XSS_value', (2) modify username, login_region ansd id_region values ...I'm not sure on how to exploit this but I will privately send you the screenshots he shared04:51
gianpietrotristanC: he also sent me an additional example where he adds the following to the login screen: '/auth/login?next={{1+1}}' and the link is accepted and changes code from the URL itself, which he says should not be happening as no web application should allow for such characters.  Finally, he shares a couple of other links to describe the vulnerability: (1) https://portswigger.net/kb/issues/00200308_client-side-t04:57
gianpietroemplate-injection (2) https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection04:57
*** markvoelker has quit IRC05:03
*** dikonoor has quit IRC05:05
tristanCgianpietro: it seems to be working as expected, where do you see the "{{1+1}}" getting evaluated?05:06
tristanCthough please add any new findings to the bug so that horizon dev can have a closer look05:11
*** dikonoor has joined #openstack-security05:11
*** gianpietro has quit IRC05:11
*** gianpietro has joined #openstack-security05:12
*** macermak has joined #openstack-security05:13
*** dikonoor has quit IRC05:23
*** dikonoor has joined #openstack-security05:26
*** dikonoor has quit IRC05:29
*** gianpietro has quit IRC06:03
*** gianpietro has joined #openstack-security06:03
*** gianpietro has quit IRC06:06
*** gianpietro has joined #openstack-security06:06
*** gianpietro has quit IRC06:08
*** markvoelker has joined #openstack-security06:20
*** AlexeyAbashkin has joined #openstack-security06:32
*** pcaruana has joined #openstack-security06:33
*** gianpietro has joined #openstack-security06:49
*** gianpiet_ has joined #openstack-security06:53
*** gianpietro has quit IRC06:54
*** markvoelker has quit IRC06:54
*** gianpiet_ has quit IRC06:57
*** gianpietro has joined #openstack-security07:09
*** gianpietro has quit IRC07:12
*** gianpiet_ has joined #openstack-security07:12
*** jaosorior has joined #openstack-security07:15
*** gianpiet_ has quit IRC07:16
*** gianpietro has joined #openstack-security07:20
*** tesseract has joined #openstack-security07:20
*** rcernin has quit IRC07:27
*** markvoelker has joined #openstack-security07:45
*** markvoelker has quit IRC07:49
*** chyka has joined #openstack-security07:58
*** chyka has quit IRC08:02
*** markvoelker has joined #openstack-security08:38
*** Alexey_Abashkin has joined #openstack-security08:50
*** Alexey_Abashkin has quit IRC08:51
*** AlexeyAbashkin has quit IRC08:51
*** AlexeyAbashkin has joined #openstack-security08:52
*** salv-orlando has joined #openstack-security09:02
*** markvoelker has quit IRC09:12
*** zigo_ is now known as zigo09:56
*** jaosorior has quit IRC10:14
*** salv-orlando has quit IRC10:26
*** AlexeyAbashkin has quit IRC10:30
*** AlexeyAbashkin has joined #openstack-security10:31
*** jaosorior has joined #openstack-security10:31
*** markvoelker has joined #openstack-security10:35
*** AlexeyAbashkin has quit IRC10:36
*** nicolasbock has joined #openstack-security10:50
*** markvoelker has quit IRC11:06
*** AlexeyAbashkin has joined #openstack-security11:21
*** dave-mccowan has joined #openstack-security11:21
*** dave-mccowan has quit IRC11:26
*** dave-mcc_ has joined #openstack-security11:26
*** gianpietro has quit IRC11:31
*** chyka has joined #openstack-security11:35
*** chyka has quit IRC11:40
*** gianpietro has joined #openstack-security12:06
*** atoth has joined #openstack-security12:16
*** salv-orlando has joined #openstack-security12:43
*** salv-orlando has quit IRC12:43
*** salv-orlando has joined #openstack-security12:44
*** salv-orlando has quit IRC12:44
*** salv-orlando has joined #openstack-security12:44
*** salv-orlando has quit IRC12:44
*** salv-orlando has joined #openstack-security12:44
*** salv-orlando has quit IRC12:45
*** salv-orlando has joined #openstack-security12:45
*** salv-orlando has quit IRC12:45
*** salv-orlando has joined #openstack-security12:46
*** salv-orlando has quit IRC12:46
*** edmondsw has joined #openstack-security12:50
*** markvoelker has joined #openstack-security12:54
*** gianpietro has quit IRC13:08
*** gianpietro has joined #openstack-security13:20
*** markvoelker has quit IRC13:24
*** nicolasbock has quit IRC13:40
*** nicolasbock has joined #openstack-security13:53
*** AlexeyAbashkin has quit IRC14:02
*** AlexeyAbashkin has joined #openstack-security14:04
*** dave-mcc_ is now known as dave-mccowan14:55
*** gyee has joined #openstack-security15:05
*** markvoelker has joined #openstack-security15:08
*** pcaruana has quit IRC15:33
*** markvoelker has quit IRC15:41
*** macermak has quit IRC15:47
*** coolfortea has joined #openstack-security15:47
*** chyka has joined #openstack-security16:01
*** coolfortea has quit IRC16:05
*** gianpietro has quit IRC16:09
*** pcaruana has joined #openstack-security16:23
*** salv-orlando has joined #openstack-security16:47
*** salv-orlando has quit IRC16:47
*** salv-orlando has joined #openstack-security16:48
*** salv-orlando has quit IRC16:48
*** salv-orlando has joined #openstack-security16:48
*** salv-orlando has quit IRC16:49
*** salv-orlando has joined #openstack-security16:49
*** salv-orlando has quit IRC16:50
*** salv-orlando has joined #openstack-security16:50
*** salv-orlando has quit IRC16:50
*** salv-orlando has joined #openstack-security16:51
*** salv-orlando has quit IRC16:51
*** SimAloo has joined #openstack-security17:00
*** tesseract has quit IRC17:10
*** AlexeyAbashkin has quit IRC17:29
*** markvoelker has joined #openstack-security17:30
*** AlexeyAbashkin has joined #openstack-security17:31
*** AlexeyAbashkin has quit IRC17:36
*** gianpietro has joined #openstack-security17:47
*** gianpietro has quit IRC17:51
*** AlexeyAbashkin has joined #openstack-security17:57
*** markvoelker has quit IRC18:00
*** Alexey_Abashkin has joined #openstack-security18:00
*** AlexeyAbashkin has quit IRC18:02
*** Alexey_Abashkin is now known as AlexeyAbashkin18:02
*** pcaruana has quit IRC18:09
*** gianpietro has joined #openstack-security18:27
*** AlexeyAbashkin has quit IRC18:40
*** markvoelker has joined #openstack-security18:50
*** markvoelker has quit IRC18:55
*** atoth has quit IRC18:55
*** gianpietro has quit IRC18:58
*** gianpietro has joined #openstack-security18:59
*** gianpietro has quit IRC19:01
*** gianpietro has joined #openstack-security19:01
*** nicolasbock has quit IRC19:33
*** markvoelker has joined #openstack-security19:45
*** nicolasbock has joined #openstack-security19:48
*** markvoelker has quit IRC19:54
*** gianpietro has quit IRC20:09
*** markvoelker has joined #openstack-security20:25
*** gianpietro has joined #openstack-security20:40
*** salv-orlando has joined #openstack-security21:00
*** salv-orlando has quit IRC21:01
*** salv-orlando has joined #openstack-security21:01
*** SimAloo has quit IRC21:03
*** salv-orlando has quit IRC21:13
*** markvoelker has quit IRC21:14
*** markvoelker has joined #openstack-security21:14
*** gianpietro has quit IRC21:15
*** gianpietro has joined #openstack-security21:16
*** gianpietro has joined #openstack-security21:16
*** gianpietro has quit IRC21:17
*** gianpiet_ has joined #openstack-security21:17
*** gianpiet_ has quit IRC21:17
*** gianpietro has joined #openstack-security21:18
*** markvoelker has quit IRC21:18
*** gianpietro has quit IRC21:18
*** gianpiet_ has joined #openstack-security21:19
*** gianpiet_ has quit IRC22:17
*** gianpietro has joined #openstack-security22:18
*** gianpietro has quit IRC22:22
*** rcernin has joined #openstack-security22:22
*** dave-mccowan has quit IRC22:23
*** salv-orlando has joined #openstack-security22:32
*** salv-orlando has quit IRC22:37
*** nicolasbock has quit IRC22:47
*** edmondsw has quit IRC22:52
*** edmondsw has joined #openstack-security22:53
*** edmondsw has quit IRC22:57
*** markvoelker has joined #openstack-security23:25
*** chyka has quit IRC23:31
*** salv-orlando has joined #openstack-security23:33
*** salv-orlando has quit IRC23:34
*** salv-orlando has joined #openstack-security23:34
*** salv-orlando has quit IRC23:40
*** markvoelker has quit IRC23:43
*** markvoelker has joined #openstack-security23:44
*** markvoelker has quit IRC23:48
« Tuesday, 2018-05-29 Index Thursday, 2018-05-31 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!