yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lin Hua Cheng <1457551@xxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Jul 2015 15:02:35 -0000
Reply-to: Bug 1457551 <1457551@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1457551

Title:
  Another Horizon login page vulnerability to a DoS attack

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  This bug is very similar to: https://bugs.launchpad.net/bugs/1394370

  Steps to reproduce:
  1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL.
  2)  Run 'for i in {1..100}; do  curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal.
  I've got 100 rows in django_session after this.

  I've used devstack installation just with updated master branch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions