[OSSA-2020-008] Open redirect in workflow forms (CVE-2020-29565)

Bug #1865026 reported by Radomir Dopieralski
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Undecided
Radomir Dopieralski
OpenStack Security Advisory
Fix Released
Medium
Gage Hugo

Bug Description

This affects all released versions of Horizon.

It is possible to make Horizon redirect to an arbitrary URL:

Steps of Reproduction:
1. Visit https://rhos-d.infra.prod.upshift.rdu2.redhat.com
2. Click on Instances
3. Pick any available instance and click on it.
4. On Right side - Click on Down arrow button
5. Hover on 'Edit Instance' and copy its link location and open in the same browser in the same tab.
6. It will look like:
https://rhos-d.infra.prod.upshift.rdu2.redhat.com/dashboard/project/instances/<instance_id>/update?step=instance_info&next=<path_and_id>; Change the &next= value with &next=https://evil.com and refresh the page ; then click on Save Button.
7. It will redirect the page to Evil.com.

CVE References

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

It looks like we have no validation on the "next" parameter, that is getting passed to the target attribute of the form.

A possible fix could look like this:

diff --git a/horizon/workflows/views.py b/horizon/workflows/views.py
index 9c8fe1a27..2caf969e3 100644
--- a/horizon/workflows/views.py
+++ b/horizon/workflows/views.py
@@ -90,8 +90,14 @@ class WorkflowView(hz_views.ModalBackdropMixin, generic.TemplateView):
         workflow = self.get_workflow()
         workflow.verify_integrity()
         context[self.context_object_name] = workflow
- next = self.request.GET.get(workflow.redirect_param_name)
- context['REDIRECT_URL'] = next
+ redirect_to = self.request.GET.get(workflow.redirect_param_name)
+ # Make sure the requested redirect matches the protocol,
+ # domain, and port of this request
+ if redirect_to and not http.same_origin(
+ request.build_absolute_uri(redirect_to),
+ request.build_absolute_uri()):
+ redirect_to = None
+ context['REDIRECT_URL'] = redirect_to
         context['layout'] = self.get_layout()
         # For consistency with Workflow class
         context['modal'] = 'modal' in context['layout']

Revision history for this message
Radomir Dopieralski (deshipu) wrote :
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

It's not clear to me how an attacker would alter the "next" GET variable's value supplied by Horizon. Can you elaborate on an actual exploit scenario making use of this trick?

Revision history for this message
Jeremy Stanley (fungi) wrote :

Is the concern that someone might name, say, a server instance as that URL and it will be passed through unaltered similar to bug 1247675? Or is the concern simply that someone may send a maliciously-crafted Horizon URL to someone out of band and socially engineer them into clicking on it? If the latter, I think this may be a duplicate of (still private) bug 1825549.

Horizon security reviewers, can you take a look?

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

As the value is automatically escaped when inserted into the template, the first scenario is not a concern.

The second scenario is a possibility, and is especially bad, as the request that reaches the malicious server is a POST request, containing all the data from the particular form (which, depending on which workflow is chosen, may contain sensitive data).

There is also another scenario, where this vulnerability is used together with some other vulnerability, like an XSS attack, to circumvent the same-origin restrictions and send harvested data embedded in the next URL to outside server.

I don't have access to bug 1825549 so I can't comment on that.

Jeremy Stanley (fungi)
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

The embargo for this report has expired and is now lifted, so it's acceptable to discuss further in public.

description: updated
information type: Private Security → Public Security
Revision history for this message
Radomir Dopieralski (deshipu) wrote :

Is there any update on this?

Changed in horizon:
assignee: nobody → Radomir Dopieralski (deshipu)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/750207
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=252467100f75587e18df9c43ed5802ee8f0017fa
Submitter: Zuul
Branch: master

commit 252467100f75587e18df9c43ed5802ee8f0017fa
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/752703

Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Open redirect in workflow forms

Reviewing this and bug 1825549 they are both about lack of validation for the supplied value of the "next" parameter, so probably duplicates. I had classed the other report as merely security hardening, since the reporter apparently did not realize you could directly supply a URL there in some pages and get it to automatically redirect.

This sounds like a classic "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ( https://cwe.mitre.org/data/definitions/601.html ) so probably a class A vulnerability report per https://security.openstack.org/vmt-process.html#incident-report-taxonomy if it can be cleanly patched on all affected stable branches.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/ussuri)

Reviewed: https://review.opendev.org/752703
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=baa370f84332ad41502daea29a551705696f4421
Submitter: Zuul
Branch: stable/ussuri

commit baa370f84332ad41502daea29a551705696f4421
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026
    (cherry picked from commit 252467100f75587e18df9c43ed5802ee8f0017fa)

tags: added: in-stable-ussuri
Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Open redirect in workflow forms

Once backports are in review for all of Horizon's supported stable branches, I'll proceed with requesting a CVE assignment and issuing an advisory.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Jeremy, what stable branches are in question? Is it enough to backport the patch to all branches in the maintained phase in https://releases.openstack.org/? Or Should we include "extended maintenance" branches?

Revision history for this message
Jeremy Stanley (fungi) wrote :

Yes, that's what we attempt to convey at https://security.openstack.org/vmt-process.html#supported-versions but I'll push an update for that text to use current release team terminology and link to the releases site.

Once backports are in review for all affected stable branches which are in a Maintained state per the table on the main page of the releases site, we can issue an advisory. If someone also wants to add patches for branches which are under Extended Maintenance then those can be included in the advisory as a convenience, but they are not required for us to be able to move forward with it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/758841

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/758843

Revision history for this message
Akihiro Motoki (amotoki) wrote : Re: Open redirect in workflow forms

Thanks Jeremy for the clarification.
I just pushed backports to all stable branches in the "maintained" phase.
(Regarding more backports to EM branches, I will discuss with other horizon stable cores.)

Revision history for this message
Gage Hugo (gagehugo) wrote :

First impact draft below, please review and suggest changes where needed.

@Radomir Dopieralski is there any organization/company you are affiliated with?

------------

Title: Open redirect possible in Horizon workflow forms
Reporter: Radomir Dopieralski ()
Products: Horizon
Affects: <18.6.0, <18.3.2, <=16.2.0, <=15.3.1

Description:
Radomir Dopieralski () reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Revision history for this message
Summer Long (slong-g) wrote :

Hi Gage, do you have a CVE# from Mitre for this? Also, Radomir is Red Hat and raised this bug on behalf of a report by Pritam Singh <email address hidden>. thanks, Summer

Revision history for this message
Gage Hugo (gagehugo) wrote :

Not yet, once this draft is approved by the maintainers, I will request a CVE#.

Updated, please review:

Title: Open redirect possible in Horizon workflow forms
Reporter: Pritam Singh (Red Hat)
Products: Horizon
Affects: <18.6.0, <18.3.2, <=16.2.0, <=15.3.1

Description:
Pritam Singh (Red Hat) reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Revision history for this message
Gage Hugo (gagehugo) wrote :

Updated, please review:

Title: Open redirect possible in Horizon workflow forms
Reporter: Pritam Singh (Red Hat)
Products: Horizon
Affects: >=18.4.0 <18.6.0, >=17.0.0 <18.3.2, <=16.2.0, <=15.3.1

Description:
Pritam Singh (Red Hat) reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Gage's impact description in comment #22 looks good to me, except for some slight adjustments to the affected versions line. We typically list affected versions from oldest to newest, and do a strictly less than (<) the next possible point release version for the branch, using an inclusive greater than or equal (>=) to indicate the start of any new ranges of affected releases, with commas (,) separating distinct ranges. The goal is that the resulting list of ranges remains correct after publication without us needing to know what the upcoming version numbers will necessarily be.

In this case, since the master branch fix merged before the Victoria release (leaving stable/victoria unaffected), the stable/ussuri backport merged but has not been tagged with a point release yet, and the remaining backports for stable/train and stable/stein are still under review, I would recommend the following series of affected version ranges:

    "<15.3.2, >=16.0.0 <16.2.1, >=17.0.0 <18.3.3"

This effectively means that we consider any tagged versions lower than 15.3.2 affected (no tag for this exists but it is the next lowest possible release number for the stable/stein branch). Similarly the 16.0.0 release and any subsequent releases less than 16.2.1 are affected (there is no 16.2.1 on stable/train and may never be, but any version numbers defined by that range are affected). Similarly for the stable/ussuri versions starting from 17.0.0 and less than 18.3.3 (next lowest possible point release on that branch).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/train)

Reviewed: https://review.opendev.org/758841
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=6c208edf323ced07b15ec4bc3879bddb91d398bc
Submitter: Zuul
Branch: stable/train

commit 6c208edf323ced07b15ec4bc3879bddb91d398bc
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Conflicts:
            horizon/test/unit/workflows/test_workflows.py

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026
    (cherry picked from commit 252467100f75587e18df9c43ed5802ee8f0017fa)
    (cherry picked from commit baa370f84332ad41502daea29a551705696f4421)

tags: added: in-stable-train
tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/stein)

Reviewed: https://review.opendev.org/758843
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=9e0e333ab5277b6c396f602862ff90398cb0242b
Submitter: Zuul
Branch: stable/stein

commit 9e0e333ab5277b6c396f602862ff90398cb0242b
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Conflicts:
            horizon/test/unit/workflows/test_workflows.py

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026
    (cherry picked from commit 252467100f75587e18df9c43ed5802ee8f0017fa)
    (cherry picked from commit baa370f84332ad41502daea29a551705696f4421)
    (cherry picked from commit 6c208edf323ced07b15ec4bc3879bddb91d398bc)

Revision history for this message
Nick Tait (nickthetait) wrote : Re: Open redirect in workflow forms

Any news on CVE assignment?

Revision history for this message
Jeremy Stanley (fungi) wrote :

Revisiting more recent release activity since comment #23, this is what the affects line should include now:

<15.3.2, >=16.0.0 <16.2.1, >=17.0.0 <18.3.3, >=18.4.0 <18.6.0

15.3.2 was tagged with the fix before stable/stein transitioned to extended maintenance and all versions prior to it are assumed to be affected.

The first stable/train tag is 16.0.0 and most recent is 16.2.0, and the fix there has not been released yet so the earliest tag it could appear in would be 16.2.1.

The first stable/ussuri tag is 17.0.0 and most recent is 18.3.2, and the fix there has not been released yet so the earliest tag it could appear in would be 18.3.3.

The first stable/victoria tag is 18.4.0 and the fix there appeared in 18.6.0.

Revision history for this message
Gage Hugo (gagehugo) wrote :

Updated, please review:

Title: Open redirect possible in Horizon workflow forms
Reporter: Pritam Singh (Red Hat)
Products: Horizon
Affects: <15.3.2, >=16.0.0 <16.2.1, >=17.0.0 <18.3.3, >=18.4.0 <18.6.0

Description:
Pritam Singh (Red Hat) reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Gage, your updated impact description in comment #28 looks great, thanks! You should be able to base a CVE request on that and push up an OSSA change with a CVE placeholder in the meantime.

Revision history for this message
Gage Hugo (gagehugo) wrote :
Revision history for this message
Summer Long (slong-g) wrote :

Looks like CVE-2020-29565 has been assigned to this issue:
https://nvd.nist.gov/vuln/detail/CVE-2020-29565

Gage Hugo (gagehugo)
summary: - Open redirect in workflow forms
+ Open redirect in workflow forms (CVE-2020-29565)
Revision history for this message
Jeremy Stanley (fungi) wrote :

OSSA-2020-008 has been published to relevant mailing lists and the https://security.openstack.org/ site.

Changed in ossa:
assignee: nobody → Gage Hugo (gagehugo)
status: Incomplete → Fix Released
importance: Undecided → Medium
summary: - Open redirect in workflow forms (CVE-2020-29565)
+ [OSSA-2020-008] Open redirect in workflow forms (CVE-2020-29565)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 16.2.1

This issue was fixed in the openstack/horizon 16.2.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 18.3.3

This issue was fixed in the openstack/horizon 18.3.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon pike-eol

This issue was fixed in the openstack/horizon pike-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon queens-eol

This issue was fixed in the openstack/horizon queens-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon rocky-eol

This issue was fixed in the openstack/horizon rocky-eol release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.