yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1454074] Re: denial of service via large number of logout page requests

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lin Hua Cheng <1454074@xxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Aug 2015 15:53:20 -0000
Reply-to: Bug 1454074 <1454074@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1454074

Title:
  denial of service via large number of logout page requests

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  While investigating CVE-2014-8124
  (https://bugs.launchpad.net/horizon/+bug/1394370) I think I found
  another instance of the underlying issue, but with the logout form.

  I'm on Ubuntu 14.04 LTS, with distro-packaged openstack-dashboard
  1:2014.1.4-0ubuntu2. I verified the patch from
  https://review.openstack.org/140356 is applied to the installed files.
  I configured horizon to use mysql datastore, and ran the following
  command:

  while true ; do wget http://localhost/horizon/auth/logout/ ; done

  While this command was running I checked the mysql dash database table
  django_sessions and found it growing without apparent bound:

  select * from django_session;
  ...
  231 rows in set (0.00 sec)

  Is this an issue?

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1454074/+subscriptions