* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try: request.user = auth.authenticate(request, auth_url=auth_url, token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL) set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid to call this.
# Description of the bug
We use horizon in the following version: `git+https:/ /opendev. org/openstack/ horizon@ 9d1bb3626bc1dbc f29a55aeb094f43 50067317cd# egg=horizon`
In Horizon there is the following code in Xena: auth/views. py
openstack_
``` META.get( 'HTTP_REFERER' , settings. OPENSTACK_ KEYSTONE_ URL) up_auth_ url(referer) POST.get( 'token' )
request. user = auth.authentica te(request, auth_url=auth_url,
token= token)
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.
auth_url = utils.clean_
token = request.
try:
...
```
This call is usually called during SAML-Auth, but you can call it on the command line like this:
`` horizon- name:8080/ auth/websso/ ' -X POST -H 'Referer: https:/ /referer: 5001/' -H 'Content-Type: application/ x-www-form- urlencoded' --data-raw 'token=mytoken'
curl -v 'http://
``
So an attacker can control the content of the HTTP_REFERER and then an auth POST request will be sent to this address.
I have changed the referer to a web server https:/ /webserver/ su-huhu/ and you can find inside the logfile:
``` of-horizon> - - [28/Jun/ 2022:08: 15:06 +0200] "POST /su-huhu/ v3/auth/ tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python- requests/ 2.27.1 CPython/3.8.10"
access.log: <ip-address-
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards. user:passwort@ ip/.
* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there: post_parameters () WEBSSO_ USE_HTTP_ REFERER: META.get( 'HTTP_REFERER' ,
settings. OPENSTACK_ KEYSTONE_ URL) up_auth_ url(referer) OPENSTACK_ KEYSTONE_ URL POST.get( 'token' )
request. user = auth.authentica te(request, auth_url=auth_url,
token= token) KeystoneAuthExc eption as exc: WEBSSO_ DEFAULT_ REDIRECT: http.HttpRespon seRedirect( settings. LOGIN_ERROR) http.HttpRespon seRedirect( settings. LOGIN_URL)
set_ logout_ reason( res, msg)
```
# TODO(stephenfin): Migrate to CBV
@sensitive_
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.
referer = request.
auth_url = utils.clean_
else:
auth_url = settings.
token = request.
try:
except exceptions.
if settings.
res = django_
else:
msg = 'Login failed: %s' % exc
res = django_
return res
```
only changing the WEBSSO_ USE_HTTP_ REFERER to false (Default true) will forbid to call this.