OpenStack Security Advisory

  1. Bug #1394370
  2. Comment #16

Comment 16 for bug 1394370

Revision history for this message
Tihomir Trifonov (ttrifonov) wrote : Re: horizon login page is vulnerable to DOS attack

With the added check for:

    if settings.SESSION_COOKIE_NAME in request.COOKIES:

an attacker can easily set some fake cookie with the specified name, and will go through the session.create() anyway.

Regarding the get_user monkey patch - since we use external auth system(Keystone), we can't use the Django UserId, so we need to store Keystone User Id and SessionBackend in session, to create user from it.

One possible solution is to clean the session on line 59:

https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L59

But this way - although we will keep clear the database, we might end up with DOS vulnerability for the CREATE-DELETE DB requests on each anonymous request.

Another way is to monkey patch the load() method of SessionStore to avoid creation of a new session, since we do not use the session for anonymous requests.