yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1825549] Re: Phishing opportunity via unvalidated text in GET request

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1825549@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Sep 2020 15:20:43 -0000
Reply-to: Bug 1825549 <1825549@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Also, after more carefully re-reading what Mark put in the bug
description, I retract what I said in comment #2. This isn't a CWE-601
case as it doesn't allow to perform an actual redirect (or even support
markup, so no embedded clickable link). Sounds like the most it can do
is provide authentic-looking messages containing dubious instructions,
so I would consider this a hardening opportunity.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1825549

Title:
  Phishing opportunity via unvalidated text in GET request

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Some pages in Horizon appear to not validate the source information
  when displaying data provided in parameters, leading to a potential
  opportunity for phishing.  For example, here:

  https://git.openstack.org/cgit/openstack/horizon/tree/horizon/templates/auth/_login_form.html#n37

  Imagine this scenario: Alice logs into Horizon, works for a while,
  then checks her email.  An attacker has emailed her asking to check
  out something in Horizon and provides a clickable link whose href is:

  http://myhorizonurl.com/dashboard/auth/login/?next=Error!+Please+try+this+url+instead:%00http://www.malwaredomain.com/

  Since Alice is already logged in to Horizon, when she clicks the link
  she will see a "proper-looking" message in Horizon pointing her to
  another site where she might be further exploited.  This might be
  avoided if the source of the parameters in the GET request were
  validated.

  Note that AFAIK it's not possible to do markup in the message (e.g. to
  turn malwaredomain.com into a clickable link on the Horizon page) or
  actually create a redirect with this approach.  In this particular
  case it also only works if the user is logged in already (otherwise
  Alice will get punted to the login screen and will get a 404 error
  after providing credentials).

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1825549/+subscriptions