[OSSA 2012-012] open redirect / phishing attack via "next" parameter

Just to clarify: the github pull request is what is needed in folsom to actually use the next parameter. I'm attaching the fix for essex.

Adding Devin and Gabriel:
Please confirm that Folsom in unaffected, and that the proposed patch for Essex looks good.

Confirmed that this bug exists in Essex, and the patch there looks good to me.

Folsom is not affected. This kind of security hole is one of the (many) reasons I rewrote the entire auth mechanism to be a pluggable backend for Django's contrib.auth module in the Folsom timeframe.

@gabriel: could you get another horizon-core dev to review this so that we can consider it pre-approved (and ready to be fast-tracked into review when the embargo ends ?) Just subscribe that person to the bug to give him access.

Proposed impact description, please validate:

Title: Open redirect through 'next' parameter
Impact: Medium
Reporter: Thomas Biege (SUSE)
Products: Horizon
Affects: Essex

Description:
Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted from him. Only setups running Essex are affected.

I'm adding Paul McMillan to this bug for further security review. He can give the patch a second +2 here.

The attached patch isn't as thorough as I'd prefer. Alternate patch forthcoming.

This patch strictly checks protocol, host, and port before allowing a redirect.

And I really will learn how to use launchpad one of these days. Sorry for the noise.

lgtm

@Thomas, Vincent: confirm that the new patch is good for you.
Everyone: please confirm that impact description looks good (if not, suggest alternate wording)

Once that's done we can push to downstream stakeholders and define end-of-embargo date.

I haven't tested the patch, but it makes sense to me.

Note that my earlier patch was really just mimicking what django is doing: https://github.com/django/django/blob/master/django/contrib/auth/views.py#L49

So if we go for this more solid version, we might want to add that to django_openstack_auth for Folsom (or even better, to fix this in django upstream).

I'll consider the change for upstream Django.

One reason Horizon can make this kind of assertion more readily is that we know more about the use case than upstream. It's not out of the question that someone is using the Django authentication framework, then redirecting to an insecure site, or an app running on a different port, or...

I would change the impact wording to drop the words "from him". Otherwise looks good.

Fixed impact description:

Title: Open redirect through 'next' parameter
Impact: Medium
Reporter: Thomas Biege (SUSE)
Products: Horizon
Affects: Essex

Description:
Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted. Only setups running Essex are affected.

Looks ready to be pushed to downstream stakeholders now.

I will send this to downstream stakeholders now. My proposed disclosure date is Thursday, Aug 30th.

Essex patch posted: https://review.openstack.org/#/c/12193/

Reviewed: https://review.openstack.org/12193
Committed: http://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b
Submitter: Jenkins
Branch: stable/essex

commit 35eada8a27323c0f83c400177797927aba6bc99b
Author: Paul McMillan <email address hidden>
Date: Wed Aug 22 12:15:40 2012 -0700

    Fix open redirect in Horizon.

    LP 1039077. Disallow login redirects to anywhere other than the same origin.

    Change-Id: I36e8e4f30cf440ecc73534af38fcd8d2a111a603

OSSA sent: https://lists.launchpad.net/openstack/msg16278.html

This was fixed in http://www.ubuntu.com/usn/usn-1565-1 in Ubuntu.

Hello Thomas, or anyone else affected,

Accepted horizon into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/horizon/2012.1.3+stable-20130423-5ce39422-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Horizon has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Stable review: https://review.openstack.org/12193

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Test coverage log.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.