Comment 3 for bug 1927677
Revision history for this message
| melanie witt (melwitt) wrote Re: novnc allowing open direction which could potentially be used for phishing | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
This bug report reminds me of an old bug [1] we dealt with in the past where the canned vnc_auto.html and vnc.html pages allowed injection of arbitrary HTML into them (fixed in noVNC 0.6.2) [2].
vnc_auto.html (vnc_lite.html as of v1.0.0) and vnc.html have a feature where a host and port can be specified as query parameters in the URL, example [3]:
http://
and it will connect to a noVNC server running on that host:port as the source of data provided to vnc_auto.html. The bug [2] meant that if a user specified host:port in the URL query parameters, a potentially malicious noVNC server running on that host:port could inject arbitrary HTML into the vnc_auto.html being served on the user's machine.
I mention that because it seems like the host:port functionality could be similarly used to phish. I'm thinking if someone ran their own noVNC server at host:port and got a user to click on a link with ?host&port in it, they could steal credentials if the user didn't notice what machine they're connecting to.
If that's the case, I'm not sure this redirect behavior is much different than what is already built-in to the vnc_lite.html and vnc.html pages that come with noVNC.
Aside from that, it's not clear to me whether this redirect behavior is something we (nova) control or if it's being done by noVNC itself. If it's the latter, I'm not sure whether we could do anything to intercept it or if it's something that would have to be changed in noVNC.
I'm going to add noVNC to this bug to get their input about the redirect behavior.
[1] https:/
[2] https:/
[3] https:/