Comment 0 for bug 1522850

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Observed on:
All Horizon implementations using Django versions prior to 1.7

Problem description:
Http session cookie (Horizon cookie) containing CSRF token is stored on disk for a long period of time.
This makes possible to perform CSRF attack on Horizon when cookie gets revealed/stolen from disk.

Upstream bug report:
https://bugs.launchpad.net/horizon/+bug/1369865

Solution proposal:
- patch Django shipped with MOS
- apply other CSRF preventive actions:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token
https://benjaminhorn.io/code/setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through/