| 2022-06-30 10:42:37 |
Sven Anders |
bug |
|
|
added bug |
| 2022-06-30 12:08:54 |
Jeremy Stanley |
description |
# Description of the bug
We use horizon in the following version: `git+https://opendev.org/openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`
In Horizon there is the following code in Xena:
openstack_auth/views.py
```
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
...
```
This call is usually called during SAML-Auth, but you can call it on the command line like this:
``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=mytoken'
``
So an attacker can control the content of the HTTP_REFERER and then an auth POST request will be sent to this address.
I have changed the referer to a web server https://webserver/su-huhu/ and you can find inside the logfile:
```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid to call this. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2022-09-28 and will be made
public by or on that date even if no fix is identified.
# Description of the bug
We use horizon in the following version: `git+https://opendev.org/openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`
In Horizon there is the following code in Xena:
openstack_auth/views.py
```
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
...
```
This call is usually called during SAML-Auth, but you can call it on the command line like this:
``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=mytoken'
``
So an attacker can control the content of the HTTP_REFERER and then an auth POST request will be sent to this address.
I have changed the referer to a web server https://webserver/su-huhu/ and you can find inside the logfile:
```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid to call this. |
|
| 2022-06-30 12:09:07 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2022-06-30 12:09:14 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2022-06-30 12:09:29 |
Jeremy Stanley |
bug |
|
|
added subscriber Horizon Core security contacts |
| 2022-10-18 17:17:16 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2022-09-28 and will be made
public by or on that date even if no fix is identified.
# Description of the bug
We use horizon in the following version: `git+https://opendev.org/openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`
In Horizon there is the following code in Xena:
openstack_auth/views.py
```
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
...
```
This call is usually called during SAML-Auth, but you can call it on the command line like this:
``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=mytoken'
``
So an attacker can control the content of the HTTP_REFERER and then an auth POST request will be sent to this address.
I have changed the referer to a web server https://webserver/su-huhu/ and you can find inside the logfile:
```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid to call this. |
# Description of the bug
We use horizon in the following version: `git+https://opendev.org/openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`
In Horizon there is the following code in Xena:
openstack_auth/views.py
```
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
...
```
This call is usually called during SAML-Auth, but you can call it on the command line like this:
``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=mytoken'
``
So an attacker can control the content of the HTTP_REFERER and then an auth POST request will be sent to this address.
I have changed the referer to a web server https://webserver/su-huhu/ and you can find inside the logfile:
```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid to call this. |
|
| 2022-10-18 17:17:24 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
