yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1825549] Re: Phishing opportunity via unvalidated text in GET request

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1825549@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Oct 2020 13:10:56 -0000
Reply-to: Bug 1825549 <1825549@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1865026 ***
    https://bugs.launchpad.net/bugs/1865026

Turns out any URL provided in the next value will be followed
automatically, so this is an open redirect (duplicate of bug 1865026).

** No longer affects: ossa

** Information type changed from Public to Public Security

** This bug has been marked a duplicate of bug 1865026
   Open redirect in workflow forms

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1825549

Title:
  Phishing opportunity via unvalidated text in GET request

Status in OpenStack Dashboard (Horizon):
  Confirmed

Bug description:
  Some pages in Horizon appear to not validate the source information
  when displaying data provided in parameters, leading to a potential
  opportunity for phishing.  For example, here:

  https://git.openstack.org/cgit/openstack/horizon/tree/horizon/templates/auth/_login_form.html#n37

  Imagine this scenario: Alice logs into Horizon, works for a while,
  then checks her email.  An attacker has emailed her asking to check
  out something in Horizon and provides a clickable link whose href is:

  http://myhorizonurl.com/dashboard/auth/login/?next=Error!+Please+try+this+url+instead:%00http://www.malwaredomain.com/

  Since Alice is already logged in to Horizon, when she clicks the link
  she will see a "proper-looking" message in Horizon pointing her to
  another site where she might be further exploited.  This might be
  avoided if the source of the parameters in the GET request were
  validated.

  Note that AFAIK it's not possible to do markup in the message (e.g. to
  turn malwaredomain.com into a clickable link on the Horizon page) or
  actually create a redirect with this approach.  In this particular
  case it also only works if the user is logged in already (otherwise
  Alice will get punted to the login screen and will get a 404 error
  after providing credentials).

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1825549/+subscriptions