OpenStack Dashboard (Horizon)

[OSSA 2012-012] open redirect / phishing attack via "next" parameter

Reported by Thomas Biege on 2012-08-20
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Medium
Unassigned
Essex
Medium
Unassigned
OpenStack Security Advisory
Undecided
Russell Bryant
horizon (Ubuntu)
Undecided
Unassigned
Declined for Precise by Jamie Strandboge

Bug Description

The "next" parameter is used here and there in the Dasboard.

http://10.122.185.2/auth/login/?next=http://www.heise.de

Redirects to www.heise.de.

Instead of redirecting to heise an attacker can redirect to a cloned Dasboard
to steal information, so called Phishing Attack.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html

Folsom seems to be safe, but it affects Essex.

https://github.com/gabrielhurley/django_openstack_auth/pull/7

description: updated
Vincent Untz (vuntz) wrote :

Just to clarify: the github pull request is what is needed in folsom to actually use the next parameter. I'm attaching the fix for essex.

Thierry Carrez (ttx) wrote :

Adding Devin and Gabriel:
Please confirm that Folsom in unaffected, and that the proposed patch for Essex looks good.

Changed in horizon:
importance: Undecided → Medium
status: New → Confirmed
description: updated
Gabriel Hurley (gabriel-hurley) wrote :

Confirmed that this bug exists in Essex, and the patch there looks good to me.

Folsom is not affected. This kind of security hole is one of the (many) reasons I rewrote the entire auth mechanism to be a pluggable backend for Django's contrib.auth module in the Folsom timeframe.

Changed in horizon:
status: Confirmed → Invalid
Thierry Carrez (ttx) wrote :

@gabriel: could you get another horizon-core dev to review this so that we can consider it pre-approved (and ready to be fast-tracked into review when the embargo ends ?) Just subscribe that person to the bug to give him access.

Proposed impact description, please validate:

Title: Open redirect through 'next' parameter
Impact: Medium
Reporter: Thomas Biege (SUSE)
Products: Horizon
Affects: Essex

Description:
Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted from him. Only setups running Essex are affected.

Gabriel Hurley (gabriel-hurley) wrote :

I'm adding Paul McMillan to this bug for further security review. He can give the patch a second +2 here.

Paul McMillan (paul-mcmillan) wrote :

The attached patch isn't as thorough as I'd prefer. Alternate patch forthcoming.

Paul McMillan (paul-mcmillan) wrote :

This patch strictly checks protocol, host, and port before allowing a redirect.

Paul McMillan (paul-mcmillan) wrote :

And I really will learn how to use launchpad one of these days. Sorry for the noise.

lgtm

Thierry Carrez (ttx) wrote :

@Thomas, Vincent: confirm that the new patch is good for you.
Everyone: please confirm that impact description looks good (if not, suggest alternate wording)

Once that's done we can push to downstream stakeholders and define end-of-embargo date.

Vincent Untz (vuntz) wrote :

I haven't tested the patch, but it makes sense to me.

Note that my earlier patch was really just mimicking what django is doing: https://github.com/django/django/blob/master/django/contrib/auth/views.py#L49

So if we go for this more solid version, we might want to add that to django_openstack_auth for Folsom (or even better, to fix this in django upstream).

Paul McMillan (paul-mcmillan) wrote :

I'll consider the change for upstream Django.

One reason Horizon can make this kind of assertion more readily is that we know more about the use case than upstream. It's not out of the question that someone is using the Django authentication framework, then redirecting to an insecure site, or an app running on a different port, or...

I would change the impact wording to drop the words "from him". Otherwise looks good.

Thierry Carrez (ttx) wrote :

Fixed impact description:

Title: Open redirect through 'next' parameter
Impact: Medium
Reporter: Thomas Biege (SUSE)
Products: Horizon
Affects: Essex

Description:
Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted. Only setups running Essex are affected.

Looks ready to be pushed to downstream stakeholders now.

Russell Bryant (russellb) wrote :

I will send this to downstream stakeholders now. My proposed disclosure date is Thursday, Aug 30th.

Russell Bryant (russellb) wrote :
visibility: private → public

Reviewed: https://review.openstack.org/12193
Committed: http://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b
Submitter: Jenkins
Branch: stable/essex

commit 35eada8a27323c0f83c400177797927aba6bc99b
Author: Paul McMillan <email address hidden>
Date: Wed Aug 22 12:15:40 2012 -0700

    Fix open redirect in Horizon.

    LP 1039077. Disallow login redirects to anywhere other than the same origin.

    Change-Id: I36e8e4f30cf440ecc73534af38fcd8d2a111a603

Changed in horizon (Ubuntu):
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

This was fixed in http://www.ubuntu.com/usn/usn-1565-1 in Ubuntu.

Hello Thomas, or anyone else affected,

Accepted horizon into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/horizon/2012.1.3+stable-20130423-5ce39422-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Horizon has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Stable review: https://review.openstack.org/12193

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Test coverage log.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Thierry Carrez (ttx) on 2013-06-07
summary: - open redirect / phishing attack via "next" parameter
+ [OSSA 2012-012] open redirect / phishing attack via "next" parameter
Changed in ossa:
assignee: nobody → Russell Bryant (russellb)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers