2022-07-24 04:32:40 |
Phan Nguyên Long |
bug |
|
|
added bug |
2022-07-24 04:33:21 |
Phan Nguyên Long |
description |
The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:
[+] Request
POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not the log file. Hope my information help you to understand the bug. |
The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:
[+] Request
POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug. |
|
2022-07-24 16:08:26 |
Jeremy Stanley |
description |
The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:
[+] Request
POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2022-10-22 and will be made
public by or on that date even if no fix is identified.
The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:
[+] Request
POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug. |
|
2022-07-24 16:08:39 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2022-07-24 16:08:45 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2022-07-24 16:09:01 |
Jeremy Stanley |
bug |
|
|
added subscriber Horizon Core security contacts |
2022-07-27 20:04:33 |
Akihiro Motoki |
horizon: status |
New |
Confirmed |
|
2022-07-27 20:04:39 |
Akihiro Motoki |
horizon: importance |
Undecided |
High |
|
2022-07-27 20:04:42 |
Akihiro Motoki |
horizon: assignee |
|
Akihiro Motoki (amotoki) |
|
2022-08-26 10:35:46 |
Vishal Manchanda |
attachment added |
|
patch.txt https://bugs.launchpad.net/horizon/+bug/1982676/+attachment/5611853/+files/patch.txt |
|
2022-09-14 13:29:33 |
Vishal Manchanda |
horizon: assignee |
Akihiro Motoki (amotoki) |
Vishal Manchanda (vishalmanchanda) |
|
2022-09-14 16:40:47 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2022-09-14 16:40:58 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2022-10-22 and will be made
public by or on that date even if no fix is identified.
The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:
[+] Request
POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug. |
The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this:
[+] Request
POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>
csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=
[+] Response
HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>
Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug. |
|
2022-09-14 16:53:47 |
OpenStack Infra |
horizon: status |
Confirmed |
In Progress |
|
2022-10-21 18:24:49 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Released |
|
2022-11-02 17:05:47 |
OpenStack Infra |
tags |
|
in-stable-wallaby |
|
2023-04-10 16:55:57 |
OpenStack Infra |
tags |
in-stable-wallaby |
in-stable-wallaby in-stable-xena |
|