Open redirect / phishing attack via "success_url" parameter in OpenStack

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

May I ask for any updates on the bug?

I confirmed it.

Using "success_url" parameter in an URL was introduced in commit a436b12acc85d474f4e71404de771d7143421eed and the corresponding gerrit review is https://review.opendev.org/c/openstack/horizon/+/270461 .
The affected version is horizon 12.0.0 and later (up to the master).

The URL parameter "success_url" is used to control a page shown after succeeding the snapshot update operation, but passing the full URL is not a good way to achieve the goal. Horizon should not depend on an URL passed from users. It should be decided internally.
Perhaps a fix would be to define a subclass of [1] instead of using "success_url" from request.GET.

[1] https://opendev.org/openstack/horizon/src/branch/master/openstack_dashboard/dashboards/project/snapshots/views.py#L83

Thanks a lot for your confirmation. Please notify me when the bug fix is released so we can disclose this bug.

Hi team,

It has been a few weeks since I report this bug. How is it going? Has the fixed been released so we can disclose this report?

Thanks for your time.

@phannguyenlong, Hi I have attached a fix here, please let me know if it fixes this issue?

Dear Team,

It seems to me that the bug has been fixed successfully.

Hi Team,

Can we disclose and public this issue so that I can ask for CVE for it?

Vishal: Is it the Horizon team's assessment that this defect represents a severe enough risk to warrant stable branch backports and a coordinated publication of a security advisory? If not, then we can switch it to public immediately and the fix can just be pushed normally into Gerrit.

Any update so far?

fungi: yeah, it looks like a security issue to me and we should fix and merge it asap in master and stable branches. I am waiting for the horizon CoreSec team and the author of this bug to review the patch I added in #6.

The author seems to indicate in comment #7 (two weeks ago) that the supplied patch works to mitigate the vulnerability. Let me know if you plan to reach out to the Horizon reviewers, or if I should do so, as they don't appear to have weighed in yet. At this point it's taken so long that we've probably missed the opportunity to avoid releasing Zed without this bug.

Given the long times between providing a fix and reviewing it so far, the Horizon team's priority for this problem seems to be very low, which is why I asked whether we should just go ahead and make it public as soon as possible, rather than spending even more time trying to coordinate supplying backported patches to downstream stakeholders in private and scheduling an advisory (which would add at least another week after all the backports are ready).

The proposed patch mitigates the issue by removing the redirect entirely, which of course works, but degrades the user experience. We can merge it as a stopgap solution, but a correct long-term fix would be to validate the url before redirecting, like we do here:

https://github.com/openstack/horizon/blob/master/horizon/workflows/views.py#L96-L102

After further discussion with Vishal Manchanda, the risk implied by this bug is minor enough that the most expedient solution will be to go public with it now and follow our lower-effort public security process: https://security.openstack.org/vmt-process.html#process

Please push the proposed fix(es) to Gerrit and mention this report in the commit message, so it can be reviewed there with full context.

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/857740

Reviewed: https://review.opendev.org/c/openstack/horizon/+/857740
Committed: https://opendev.org/openstack/horizon/commit/79d139594290779b2f74ca894332aa7f2f7e4735
Submitter: "Zuul (22348)"
Branch: master

commit 79d139594290779b2f74ca894332aa7f2f7e4735
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/862899

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/horizon/+/862900

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/horizon/+/862901

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/horizon/+/862902

Reviewed: https://review.opendev.org/c/openstack/horizon/+/862902
Committed: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit beed6bf6f6f83df9972db5fb539d64175ce12ce9
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
    (cherry picked from commit 79d139594290779b2f74ca894332aa7f2f7e4735)

This issue was fixed in the openstack/horizon 19.4.0 release.

Since the bug is fixed and released, could you please request a CVE and put it on OpenStack Security Advisories (OSSA) to notify other users and follow the process here (https://security.openstack.org/vmt-process.html).

The fix for horizon's stable/yoga branch doesn't appear to pass testing yet, and the fixes for stable/zed and stable/xena still need to be reviewed and approved by horizon developers as well. Once that is done, we can proceed with issuing an advisory.

Thanks for your reply, please notify me when you processing the next step.

Thanks a lot!

This issue was fixed in the openstack/horizon 23.1.0 release.

Reviewed: https://review.opendev.org/c/openstack/horizon/+/862901
Committed: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 2f600272bfffb3024e6f06a369f9b4768dd1a0b0
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
    (cherry picked from commit 79d139594290779b2f74ca894332aa7f2f7e4735)

This issue was fixed in the openstack/horizon 20.1.4 release.

This issue was fixed in the openstack/horizon 22.1.1 release.

Reviewed: https://review.opendev.org/c/openstack/horizon/+/862899
Committed: https://opendev.org/openstack/horizon/commit/93b36289730e74351eb4366ce31d23cc85839f96
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 93b36289730e74351eb4366ce31d23cc85839f96
Author: manchandavishal <email address hidden>
Date: Wed Sep 14 22:17:58 2022 +0530

    Fix success_url parameter issue for Edit Snapshot

    The "success_url" param is used when updating the project snapshot
    [1] and it lacks sanitizing the input URL that allows an attacker to
    redirect the user to another website. This patch update 'Updateview'
    class to not use the "sucess_url" method.

    Closes-bug: #1982676

    [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

    Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
    (cherry picked from commit 79d139594290779b2f74ca894332aa7f2f7e4735)

This issue was fixed in the openstack/horizon 23.0.1 release.