yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #48352
[Bug 1394370] Re: [OSSA 2014-040] horizon login page is vulnerable to DOS attack (CVE-2014-8124)
** Changed in: horizon/juno
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1394370
Title:
[OSSA 2014-040] horizon login page is vulnerable to DOS attack
(CVE-2014-8124)
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Dashboard (Horizon) icehouse series:
Fix Released
Status in OpenStack Dashboard (Horizon) juno series:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
We have horizon deployed with mysql sessions. I believe this issue
exists with all db backed sessions, and likely memchached too (but I
am not sure).
Every request to the login page is generating a new session record in the db. This is based upon this line of code:
https://github.com/django/django/blob/master/django/contrib/sessions/backends/db.py#L41
What happens is as soon as you access request.session['foo'] then you are going to get an entry in the db.
I have placed some debugging code in a variety of locations where we
are accessing the session store before we should be, which creates
these records:
https://github.com/openstack/horizon/blob/master/horizon/middleware.py#L94
The check for the timeout should never occur if there is no authenticated user. So the check a few lines below needs to be moved higher.
https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L50
This check I am not sure how to work around. We are accessing the session, which creates records, just trying to keep track if a user is logged in or not. It seems like we are not using the django auth mechanisms correctly here, and I can't see if there is a workaround.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1394370/+subscriptions