@Paul McMillan could you check if the proposed changes fix the issue ? ( openstack_auth in comment #38 and horizon in comment #34, assuming both are required.)
Here is the updated impact description draft #2 (thanks to Thierry review):
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By doing repeated requests to Horizon login page a remote attacker may generate unwanted session record, potentially resulting in a denial of service. All Horizon setups are affected.
@Paul McMillan could you check if the proposed changes fix the issue ? ( openstack_auth in comment #38 and horizon in comment #34, assuming both are required.)
Here is the updated impact description draft #2 (thanks to Thierry review):
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By doing repeated requests to Horizon login page a remote attacker may generate unwanted session record, potentially resulting in a denial of service. All Horizon setups are affected.