OpenStack Security Advisory

  1. Bug #1394370
  2. Comment #35

Comment 35 for bug 1394370

Revision history for this message
Tihomir Trifonov (ttrifonov) wrote : Re: horizon login page is vulnerable to DOS attack

The latest patch is still vulnerable, just make

    csrf=$(curl https://dashboard | grep csrfmiddlewaretoken-match-pattern)

Then run this request:

    curl -i https://dashboard/auth/login/ -d "csrfmiddlewaretoken=$csrf&region=http://dashboard:5000/v2.0&username=fake&password=fake" -b csrftoken=$csrf

You can repeat the request as many times as you want. Each run will add new row in DB.

But I think mystery is finally revealed:

First this:
https://github.com/openstack/django_openstack_auth/blob/455aaeab8d16fbecebe9a088e10e0e532a3116cb/openstack_auth/forms.py#L101

and then that:
Django 1.7:
https://github.com/django/django/blob/master/django/contrib/sessions/backends/base.py#L276

Django 1.6 (Ouch):
https://github.com/django/django/blob/stable/1.6.x/django/contrib/sessions/backends/base.py

So .flush() should be replaced with .delete(session_key), as in 1.6 it calls .create() and in 1.7 .clear() sets self.modified = True, but we don't have anything in session anyway.

My assumption is that Django wants to persist session, as by default websites might need to store user settings for anonymous users. Also, the sessionId is persisted for security reasons - since the session_key value is primary key in the Database, you cannot create duplicate sessionIds. Otherwise - if one user logs in and is assigned sessionId=123, then another user plays as anonymous, but for some reason the server assigns the same sessionId(possible in web farms) - they will be able to see the same as the logged-in user.

But Horizon doesn't actually need that. It doesn't offer anything to anonymous users. So Django should be probably able to handle the case with no anonymous sessions in DB as a general use case.

One minor drawback of the patch is that after a logout, a new session id is associated to the user, and it remains in the DB. But this should be generally OK for handling. To clear it - we still need the cleanup middleware.

The patch issues .delete() in django_openstack_auth, which works in 1.6 and 1.7 - no database rows added. And we can add the latest patch from Eric for horizon, as it makes things simple.