Bug 1077448

Summary: [ovirt][webadmin] SessionID for REST API stores in browser Local Storage
Product: [Retired] oVirt Reporter: lzhuang <lzhuang>
Component: ovirt-engine-webadminAssignee: Alexander Wels <awels>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Stehlik <pstehlik>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.4CC: acathrow, alonbl, djorm, ecohen, gklein, huiwang, iheim, jechoi, khong, lzhuang, mgoldboi, suli, yeylon, yuzheng
Target Milestone: ---Keywords: Security
Target Release: 3.4.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ux
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-08 13:36:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lzhuang 2014-03-18 03:26:28 UTC 
Description of problem:
oVirt stores session ID of REST API(https://<host_ip>/ovirt-engine/api) in Local Storage. An attacker could stole the session ID via a single XSS attack.

Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3

How reproducible:
100%

Steps to Reproduce:
1. Login to https://<host_ip>/ovirt-engine/webadmin
2. Open browser debugger and check "Local Storage"

Actual results:
oVirt stores session ID of REST API in Local Storage

Expected results:
Sensitive data should not be stored in Local Storage, controls to treat untrusted data in Local Storage are also needed.

Additional info:
Comment 1 Kurt Seifried 2014-03-24 19:15:58 UTC 
When you say "local storage" do you mean a local cookie, HTML5 storage, or something else?
Comment 2 Einav Cohen 2014-03-24 20:12:50 UTC 
(In reply to Kurt Seifried from comment #1)
> When you say "local storage" do you mean a local cookie, HTML5 storage, or
> something else?

probably both, but I would like lzhuang to confirm that. lzhuang?
Comment 3 Alexander Wels 2014-03-24 20:17:08 UTC 
I believe the issue lzhuang is revering to is HTML5 storage. For browsers that don't support this (IE8) we fall back to using a cookie.
Comment 4 lzhuang 2014-03-25 01:33:02 UTC 
(In reply to Einav Cohen from comment #2)
> (In reply to Kurt Seifried from comment #1)
> > When you say "local storage" do you mean a local cookie, HTML5 storage, or
> > something else?
> 
> probably both, but I would like lzhuang to confirm that. lzhuang?

Hi,

"local storage" means HTML5 storage. As described in OWASP:
Local Storage also known as Web Storage or Offline Storage is a mechanism to store data as key/value pairs tied to a domain and enforced by the same origin policy (SOP).
Comment 6 Sandro Bonazzola 2014-05-08 13:36:55 UTC 
This is an automated message

oVirt 3.4.1 has been released:
 * should fix your issue
 * should be available at your local mirror within two days.

If problems still persist, please make note of it in this bug report.