yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #86082
[Bug 1927677] Re: novnc allowing open direction which could potentially be used for phishing
Reviewed: https://review.opendev.org/c/openstack/nova/+/791297
Committed: https://opendev.org/openstack/nova/commit/781612b33282ed298f742c85dab58a075c8b793e
Submitter: "Zuul (22348)"
Branch: master
commit 781612b33282ed298f742c85dab58a075c8b793e
Author: melanie witt <melwittt@xxxxxxxxx>
Date: Thu May 13 05:43:42 2021 +0000
Reject open redirection in the console proxy
Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:
http://vncproxy.my.domain.com//example.com/%2F..
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Closes-Bug: #1927677
[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545
Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1927677
Title:
novnc allowing open direction which could potentially be used for
phishing
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) train series:
New
Status in OpenStack Compute (nova) ussuri series:
New
Status in OpenStack Compute (nova) victoria series:
New
Status in OpenStack Compute (nova) wallaby series:
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
This bug report is related to Security.
Currently novnc is allowing open direction, which could potentially be
used for phishing attempts
To test.
https://<sites' vnc domain>//example.com/%2F..
include .. at the end
For example:
http://vncproxy.my.domain.com//example.com/%2F..
It will redirect to example.com. You can replace example.com with some
legitimate domain or spoofed domain.
The description of the risk is
By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions