yahoo-eng-team team mailing list archive

[OpenStack Infra <1982676@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/horizon/+/857740
Committed: https://opendev.org/openstack/horizon/commit/79d139594290779b2f74ca894332aa7f2f7e4735
Submitter: "Zuul (22348)"
Branch:    master

commit 79d139594290779b2f74ca894332aa7f2f7e4735
Author: manchandavishal <manchandavishal143@xxxxxxxxx>
Date:   Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot
    
    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.
    
    Closes-bug: #1982676
    
    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109
    
    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1982676

Title:
  Open redirect / phishing attack via "success_url" parameter in
  OpenStack

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  The "success_url" param is used when updating the project snapshot and
  it lacks sanitizing the input URL that allows an attacker to redirect
  the user to another website.

  For instance, the URL below will redirect you to https://hacker.com:

  https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com

  The attacker can send this link to the user and when they click on the
  "Update" button the request and response will look like this:

  [+] Request

  POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
  Host: xxx.com
  Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  <====================>SNIP<====================>

  csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=

  [+] Response

  HTTP/1.1 302 Found
  date: Tue, 12 Jul 2022 10:14:38 GMT
  server: Apache/2.4.41 (Ubuntu)
  location: https://hacker.com
  content-length: 0
  x-horizon-location: https://hacker.com
  x-frame-options: SAMEORIGIN
  vary: Accept-Language,Cookie
  content-language: en
  <====================>SNIP<====================>

  Impact: The attacker can trick redirect users to the cloned website to
  steal information, a so-called Phishing Attack.

  CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  http://cwe.mitre.org/data/definitions/601.html

  I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
  Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1982676/+subscriptions