yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94669
[Bug 1980349] Re: It is possible to trigger a POST-Request to any address via Horizon
Given this bug report is over 2 years old and there still appears to be
no consensus that it's really a bug (much less whether there's a safely
backportable fix), it seems unlikely to rise to the level of urgency
where we'd issue an OSSA even if it did eventually get fixed. As such,
I'm closing the Security Advisory task as Won't Fix, but if there are
any dissenting opinions I'm happy to reopen and revisit that decision.
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1980349
Title:
It is possible to trigger a POST-Request to any address via Horizon
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
# Description of the bug
We use horizon in the following version:
`git+https://opendev.org/openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`
In Horizon there is the following code in Xena:
openstack_auth/views.py
```
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
...
```
This call is usually called during SAML-Auth, but you can call it on
the command line like this:
``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=mytoken'
``
So an attacker can control the content of the HTTP_REFERER and then an
auth POST request will be sent to this address.
I have changed the referer to a web server https://webserver/su-huhu/
and you can find inside the logfile:
```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will
forbid to call this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1980349/+subscriptions
