Comment 4 for bug 1409142
Revision history for this message
| Andrew Laski (alaski) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I am trying to understand this fully as I do not have a lot of prior experience with cross-site type exploits. When requesting console access from Nova it returns a URL with an auth token included as a GET query parameter. On its own there doesn't seem to be anything exploitable here. The problem seems to come in when that URL is passed into a browser and the token is stored in a cookie? And then subsequent attempts at accessing that URL from the same browser would pass the token in that cookie. It seems that using the token from the cookie is part of the security concern, but may not be something we can stop doing based on a comment in the code.
There does appear to be some risk here, but I do have concerns about the proposed patch. It is possible that some deployers are currently relying on the behavior explained here so there is a risk of breaking them. I would suggest amending the patch so that the origin checking is configurable, with the default being to check it.