© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/
def get(url, allowed_
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.
components = urllib.
if components.scheme not in allowed_schemes:
raise URLFetchError(
if components.scheme == 'file':
try:
return urllib.
except urllib.
raise URLFetchError(
available on the https:/
Possible results include :
http://
http://
http://
http://
Which gives the attacker a good idea of which port is open and what IP addresses are reachable.
I attach in the attachement a simple exploitation script.
If this bug is confirmed by your team I would kindly ask to put my name on a security contributors list (if you have some kind of hall of fame for security researchers or something like that). It is always cool to be mentioned somewhere.
Other than that an OpenStack T-shirt would be a nice reward. :)
Best regards,
Jan