[OSSA 2012-012] open redirect / phishing attack via "next" parameter
Bug #1039077 reported by
Thomas Biege
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Medium
|
Unassigned | ||
Essex |
Fix Released
|
Medium
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Russell Bryant | ||
horizon (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
The "next" parameter is used here and there in the Dasboard.
http://
Redirects to www.heise.de.
Instead of redirecting to heise an attacker can redirect to a cloned Dasboard
to steal information, so called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://
Folsom seems to be safe, but it affects Essex.
https:/
CVE References
description: | updated |
description: | updated |
Changed in horizon (Ubuntu): | |
status: | New → Fix Released |
summary: |
- open redirect / phishing attack via "next" parameter + [OSSA 2012-012] open redirect / phishing attack via "next" parameter |
Changed in ossa: | |
assignee: | nobody → Russell Bryant (russellb) |
status: | New → Fix Released |
To post a comment you must log in.
Just to clarify: the github pull request is what is needed in folsom to actually use the next parameter. I'm attaching the fix for essex.