novncproxy open redirect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Security Issue
==============
We have found an open redirect vulnerability in Nova novncproxy
Impact
======
- Attackers can serve malicious websites that steal passwords or download ransomware to their victims' machines due to a redirect and there are a heap of other attack vectors.
- Attackers may be able to use this to execute believable phishing attacks, bypass authentication, or (in rare circumstances) violate CSRF mitigations.
Steps to Reproduce
==================
Simple curl the below url and it will redirect to google.com
http://
Example
=======
$ curl "http://
* Trying 10.X.Y.Z...
* TCP_NODELAY set
* Connected to nova-novncproxy (10.X.Y.Z) port 6080 (#0)
> GET ////google.
> Host: nova-novncproxy
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: WebSockify Python/3.6.9
< Date: Wed, 31 Aug 2022 11:59:29 GMT
< Location: //google.com/%2f../
Reference
=========
https:/
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.
This report sounds strikingly similar to "OSSA-2021-002: Open Redirect in noVNC proxy" which we published in July of last year. What version of Nova did you encounter the problem in?
https:/ /security. openstack. org/ossa/ OSSA-2021- 002.html