Sounds good.


On Apr 26, 2012, at 6:29 PM, Russell Bryant wrote:

> Thanks for the patch reviews!  I'll send out the advance notification
> with the description updated to reflect Gabriel's comments tomorrow.
> 
> Does anyone have a problem with Thursday, April 31st as the CRD
> (coordinated release date) ?
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/978896
> 
> Title:
>  session fixation vulnerability
> 
> Status in OpenStack Dashboard (Horizon):
>  Confirmed
> 
> Bug description:
>  Hi,
>  it looks like openstack-dashboard is vulnerable to a session fixation attack. Here is a HTTP dialog:
> 
>  1. eviled Login with no Cookie header
>  -------------------------------------
>  POST http://test:80/auth/login/ HTTP/1.0
>  User-Agent: Opera/9.80 (X11; Linux x86_64; U; de) Presto/2.10.229 Version/11.61
>  Host: test
>  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
>  image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
>  Accept-Language: de-DE,de;q=0.9,en;q=0.8
>  Accept-Encoding: gzip, deflate
>  Referer: http://test
>  Cookie: csrftoken=f5ce126776d4ede0bff352d2e53e3e28;
>  sessionid=f7467b5b66ac49c48c74386d558c3319
>  Proxy-Connection: Keep-Alive
>  Content-length: 141
>  Content-Type: application/x-www-form-urlencoded
> 
>  csrfmiddlewaretoken=f5ce126776d4ede0bff352d2e53e3e28&method=Login&region=http%3A%2F%2F127.0.0.1%3A5000%2Fv2.0&username=eviled&password=eviled
> 
>  2. eviled gets response with sessionid Cookie
>  ----------------------------------------------
>  HTTP/1.1 302 FOUND
>  Date: Wed, 21 Mar 2012 15:59:09 GMT
>  Server: Apache/2.2.12 (Linux/SUSE)
>  Vary: Accept-Language,Cookie
>  Location: http://test
>  Content-Language: en
>  Set-Cookie: sessionid=f7467b5b66ac49c48c74386d558c3319; Path=/
>  Content-length: 0
>  Connection: close
>  Content-Type: text/html; charset=utf-8
> 
>  3. eviled logout
>  -----------------
>  GET http://test:80/auth/logout/ HTTP/1.0
>  User-Agent: Opera/9.80 (X11; Linux x86_64; U; de) Presto/2.10.229 Version/11.61
>  Host: test
>  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
>  image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
>  Accept-Language: de-DE,de;q=0.9,en;q=0.8
>  Accept-Encoding: gzip, deflate
>  Referer: http://test
>  Cookie: sessionid=f7467b5b66ac49c48c74386d558c3319;
>  csrftoken=f5ce126776d4ede0bff352d2e53e3e28
>  Pragma: no-cache
>  Cache-Control: no-cache
>  Proxy-Connection: Keep-Alive
> 
>  4. Admin Login:
>  ---------------
>  GET http://test:80/auth/logout/ HTTP/1.0
>  User-Agent: Opera/9.80 (X11; Linux x86_64; U; de) Presto/2.10.229 Version/11.61
>  Host: test
>  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
>  image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
>  Accept-Language: de-DE,de;q=0.9,en;q=0.8
>  Accept-Encoding: gzip, deflate
>  Referer: http://test/nova/
>  Cookie: sessionid=f7467b5b66ac49c48c74386d558c3319;
>  csrftoken=f5ce126776d4ede0bff352d2e53e3e28
>  Pragma: no-cache
>  Cache-Control: no-cache
>  Proxy-Connection: Keep-Alive
> 
>  5. Admin request sets the same CSRF token and sessionid Cookie
>  --------------------------------------------------------------
>  HTTP/1.1 200 OK
>  Date: Wed, 21 Mar 2012 15:59:13 GMT
>  Server: Apache/2.2.12 (Linux/SUSE)
>  Vary: Cookie,Accept-Language
>  Content-Language: en
>  Set-Cookie: csrftoken=f5ce126776d4ede0bff352d2e53e3e28; expires=Wed,
>  20-Mar-2013 15:59:13 GMT; Max-Age=31449600; Path=/
>  Set-Cookie: sessionid=f7467b5b66ac49c48c74386d558c3319; Path=/
>  Connection: close
>  Content-Type: text/html; charset=utf
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/978896/+subscriptions