Description of problem: oVirt stores session ID of REST API(https://<host_ip>/ovirt-engine/api) in Local Storage. An attacker could stole the session ID via a single XSS attack. Version-Release number of selected component (if applicable): oVirt 3.4.0-5 beta3 How reproducible: 100% Steps to Reproduce: 1. Login to https://<host_ip>/ovirt-engine/webadmin 2. Open browser debugger and check "Local Storage" Actual results: oVirt stores session ID of REST API in Local Storage Expected results: Sensitive data should not be stored in Local Storage, controls to treat untrusted data in Local Storage are also needed. Additional info:
When you say "local storage" do you mean a local cookie, HTML5 storage, or something else?
(In reply to Kurt Seifried from comment #1) > When you say "local storage" do you mean a local cookie, HTML5 storage, or > something else? probably both, but I would like lzhuang to confirm that. lzhuang?
I believe the issue lzhuang is revering to is HTML5 storage. For browsers that don't support this (IE8) we fall back to using a cookie.
(In reply to Einav Cohen from comment #2) > (In reply to Kurt Seifried from comment #1) > > When you say "local storage" do you mean a local cookie, HTML5 storage, or > > something else? > > probably both, but I would like lzhuang to confirm that. lzhuang? Hi, "local storage" means HTML5 storage. As described in OWASP: Local Storage also known as Web Storage or Offline Storage is a mechanism to store data as key/value pairs tied to a domain and enforced by the same origin policy (SOP).
This is an automated message oVirt 3.4.1 has been released: * should fix your issue * should be available at your local mirror within two days. If problems still persist, please make note of it in this bug report.