Another Horizon login page vulnerability to a DoS attack
Bug #1459628 reported by
Paul Karikh
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Aleksander Mogylchenko | ||
6.1.x |
Won't Fix
|
High
|
Paul Karikh | ||
7.0.x |
Fix Released
|
Critical
|
Aleksander Mogylchenko |
Bug Description
Summary: Another Horizon login page vulnerability to a DoS attack
This bug is very similar to: https:/
Steps to reproduce:
1) Setup Horizon to use db as session engine (using this doc: http://
2) Run 'for i in {1..100}; do curl -b "sessionid=aaaaa;" http://
I've got 100 rows in django_session after this.
I've used MOS 6.1. Here is upstream bug: https:/
CVE References
Changed in mos: | |
assignee: | nobody → Paul Karikh (pkarikh) |
status: | New → In Progress |
importance: | Undecided → Critical |
milestone: | none → 6.1 |
tags: | added: horizon |
Changed in mos: | |
milestone: | 6.1 → 7.0 |
Changed in mos: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
I believe that the root of the problem is this line in django_ openstack_ auth: session[ auth.SESSION_ KEY] (https:/ /github. com/jtopjian/ openstack_ auth/blob/ master/ utils.py# L27)
user_id = request.
This operations looks valid. But after this moment we have no chances to prevent creation session because django nandles all other stuff.
When DOA tries to get access to the request.session, django creates instance of User object (before this action it is an instance of SimpleLazyObject). After few operations, when django couldn't find session with proveded sessionId, it creates new session: https:/ /github. com/django/ django/ blob/1. 7c3/django/ contrib/ sessions/ backends/ db.py#L29
Right now looks like best place to make any changes is this line: /github. com/openstack/ horizon/ blob/stable/ kilo/horizon/ middleware. py#L93
https:/
We need to avoid accessing any request.user fields (to avoid making new instance). Now I'm trying to find a way to check if request created by anonimous user and do not affect other cases.
Also I've contacted with Horizon core developers (Lin Hua Cheng and Eric Peterson). They agreed that this is a different bug and searching a way to handle it too.