yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1927677] Re: novnc allowing open direction which could potentially be used for phishing

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1927677@xxxxxxxxxxxxxxxxxx>
Date: Sat, 15 May 2021 06:16:59 -0000
Reply-to: Bug 1927677 <1927677@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/nova/+/791297
Committed: https://opendev.org/openstack/nova/commit/781612b33282ed298f742c85dab58a075c8b793e
Submitter: "Zuul (22348)"
Branch:    master

commit 781612b33282ed298f742c85dab58a075c8b793e
Author: melanie witt <melwittt@xxxxxxxxx>
Date:   Thu May 13 05:43:42 2021 +0000

    Reject open redirection in the console proxy
    
    Our console proxies (novnc, serial, spice) run in a websockify server
    whose request handler inherits from the python standard
    SimpleHTTPRequestHandler. There is a known issue [1] in the
    SimpleHTTPRequestHandler which allows open redirects by way of URLs
    in the following format:
    
      http://vncproxy.my.domain.com//example.com/%2F..
    
    which if visited, will redirect a user to example.com.
    
    We can intercept a request and reject requests that pass a redirection
    URL beginning with "//" by implementing the
    SimpleHTTPRequestHandler.send_head() method containing the
    vulnerability to reject such requests with a 400 Bad Request.
    
    This code is copied from a patch suggested in one of the issue comments
    [2].
    
    Closes-Bug: #1927677
    
    [1] https://bugs.python.org/issue32084
    [2] https://bugs.python.org/issue32084#msg306545
    
    Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1927677

Title:
  novnc allowing open direction which could potentially be used for
  phishing

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) train series:
  New
Status in OpenStack Compute (nova) ussuri series:
  New
Status in OpenStack Compute (nova) victoria series:
  New
Status in OpenStack Compute (nova) wallaby series:
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  This bug report is related to Security.

  Currently novnc is allowing open direction, which could potentially be
  used for phishing attempts

  To test.
  https://<sites' vnc domain>//example.com/%2F..
  include .. at the end

  For example:
  http://vncproxy.my.domain.com//example.com/%2F..

  It will redirect to example.com. You can replace example.com with some
  legitimate domain or spoofed domain.

  The description of the risk  is
  By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
  Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions