Open redirect / phishing attack via "success_url" parameter in OpenStack

Bug #1982676 reported by Phan Nguyên Long
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Vishal Manchanda
OpenStack Security Advisory
Incomplete
Undecided
Unassigned

Bug Description

The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.

For instance, the URL below will redirect you to https://hacker.com:

https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com

The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:

[+] Request

POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>

csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=

[+] Response

HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>

Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html

I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug.

description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

May I ask for any updates on the bug?

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I confirmed it.

Using "success_url" parameter in an URL was introduced in commit a436b12acc85d474f4e71404de771d7143421eed and the corresponding gerrit review is https://review.opendev.org/c/openstack/horizon/+/270461 .
The affected version is horizon 12.0.0 and later (up to the master).

The URL parameter "success_url" is used to control a page shown after succeeding the snapshot update operation, but passing the full URL is not a good way to achieve the goal. Horizon should not depend on an URL passed from users. It should be decided internally.
Perhaps a fix would be to define a subclass of [1] instead of using "success_url" from request.GET.

[1] https://opendev.org/openstack/horizon/src/branch/master/openstack_dashboard/dashboards/project/snapshots/views.py#L83

Changed in horizon:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Akihiro Motoki (amotoki)
Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Thanks a lot for your confirmation. Please notify me when the bug fix is released so we can disclose this bug.

Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Hi team,

It has been a few weeks since I report this bug. How is it going? Has the fixed been released so we can disclose this report?

Thanks for your time.

Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

@phannguyenlong, Hi I have attached a fix here, please let me know if it fixes this issue?

Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Dear Team,

It seems to me that the bug has been fixed successfully.

Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Hi Team,

Can we disclose and public this issue so that I can ask for CVE for it?

Revision history for this message
Jeremy Stanley (fungi) wrote :

Vishal: Is it the Horizon team's assessment that this defect represents a severe enough risk to warrant stable branch backports and a coordinated publication of a security advisory? If not, then we can switch it to public immediately and the fix can just be pushed normally into Gerrit.

Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Any update so far?

Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

fungi: yeah, it looks like a security issue to me and we should fix and merge it asap in master and stable branches. I am waiting for the horizon CoreSec team and the author of this bug to review the patch I added in #6.

Changed in horizon:
assignee: Akihiro Motoki (amotoki) → Vishal Manchanda (vishalmanchanda)
Revision history for this message
Jeremy Stanley (fungi) wrote :

The author seems to indicate in comment #7 (two weeks ago) that the supplied patch works to mitigate the vulnerability. Let me know if you plan to reach out to the Horizon reviewers, or if I should do so, as they don't appear to have weighed in yet. At this point it's taken so long that we've probably missed the opportunity to avoid releasing Zed without this bug.

Given the long times between providing a fix and reviewing it so far, the Horizon team's priority for this problem seems to be very low, which is why I asked whether we should just go ahead and make it public as soon as possible, rather than spending even more time trying to coordinate supplying backported patches to downstream stakeholders in private and scheduling an advisory (which would add at least another week after all the backports are ready).

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

The proposed patch mitigates the issue by removing the redirect entirely, which of course works, but degrades the user experience. We can merge it as a stopgap solution, but a correct long-term fix would be to validate the url before redirecting, like we do here:

https://github.com/openstack/horizon/blob/master/horizon/workflows/views.py#L96-L102

Revision history for this message
Jeremy Stanley (fungi) wrote :

After further discussion with Vishal Manchanda, the risk implied by this bug is minor enough that the most expedient solution will be to go public with it now and follow our lower-effort public security process: https://security.openstack.org/vmt-process.html#process

Please push the proposed fix(es) to Gerrit and mention this report in the commit message, so it can be reviewed there with full context.

information type: Private Security → Public Security
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/857740

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/857740
Committed: https://opendev.org/openstack/horizon/commit/79d139594290779b2f74ca894332aa7f2f7e4735
Submitter: "Zuul (22348)"
Branch: master

commit 79d139594290779b2f74ca894332aa7f2f7e4735
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/862899

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/horizon/+/862900

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/horizon/+/862901

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/horizon/+/862902

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/862902
Committed: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit beed6bf6f6f83df9972db5fb539d64175ce12ce9
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
    (cherry picked from commit 79d139594290779b2f74ca894332aa7f2f7e4735)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 19.4.0

This issue was fixed in the openstack/horizon 19.4.0 release.

Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Since the bug is fixed and released, could you please request a CVE and put it on OpenStack Security Advisories (OSSA) to notify other users and follow the process here (https://security.openstack.org/vmt-process.html).

Revision history for this message
Jeremy Stanley (fungi) wrote :

The fix for horizon's stable/yoga branch doesn't appear to pass testing yet, and the fixes for stable/zed and stable/xena still need to be reviewed and approved by horizon developers as well. Once that is done, we can proceed with issuing an advisory.

Revision history for this message
Phan Nguyên Long (phannguyenlong) wrote :

Thanks for your reply, please notify me when you processing the next step.

Thanks a lot!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 23.1.0

This issue was fixed in the openstack/horizon 23.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/862901
Committed: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 2f600272bfffb3024e6f06a369f9b4768dd1a0b0
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
    (cherry picked from commit 79d139594290779b2f74ca894332aa7f2f7e4735)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 20.1.4

This issue was fixed in the openstack/horizon 20.1.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 22.1.1

This issue was fixed in the openstack/horizon 22.1.1 release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.