horizon auth switch redir DoS

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Adding django_openstack_auth since it may be missing the @csrf_protect decorator for the switch view. @Horizon-coresec, please triage this bug report.

Based on the description, it sounds like an unauthenticated actor can (through some manner of social engineering) compel an authenticated user to generate load on the server, but by design any authenticated malicious user could do this anyway even without the described bug?

If that's the case, pretty borderline but I'd lean toward this being either class C1 (an impractical vulnerability) or D (security hardening opportunity). https://security.openstack.org/vmt-process.html#incident-report-taxonomy I'm also subscribing the security note reviewers for input.

On 2017-03-20 15:30, Jeremy Stanley wrote:
> Based on the description, it sounds like an unauthenticated actor can
> (through some manner of social engineering) compel an authenticated user
> to generate load on the server, but by design any authenticated
> malicious user could do this anyway even without the described bug?

embedding an img or iframe URL on a website someone visits (e.g. through
advertisement networks) is not that far fetched and does not even need
social engineering.

and yes, authenticated users could do load themselves,
but it might be a private cloud behind a corporate firewall, so
generating load on those from outside the firewall is still some extra
power.

Sure, and it seems worth fixing, but posting malicious Web ads in an attempt to induce some load on a firewalled Horizon server strikes me as an unlikely and low-enough risk vector so as to not need an advisory (much less one coordinated secretly under embargo).

I agree on that.

If there are no objections, let's switch this bug to public and close the OSSA task.

There's been no input whatsoever from Horizon devs, but since the reporter already seems to have agreed in comment #7 and this has been open for over 5 months now let's just press forward.

This seems familiar, although I can't find the bug I'm thinking of. Someone mentioned a bug a while back where you did a similar thing but put the ID's in an image, so that just visiting the page generated traffic.

I don't actually think this has any practical application though; if I'm reading that URL correctly, it's triggering a switch to a specific project ID, which I assume we use the existing token to auth against, so the only way this could feasibly be used to generate load is if the malicious actor already had a valid list of all the current project IDs (or at least 2, to swap between them). Otherwise Horizon would just kick you to the login page. As far as I can tell, the only way to really disable this would be to provide another mechanism for passing the ID when swapping project.

I think this is really very low priority, given the above.

Assigning importance to Low per Rob's comment

It sounds more like a configuration issue rather than horizon issue