weizhouapache opened a new issue #4550: URL: https://github.com/apache/cloudstack/issues/4550
The url in iframe of novnc console can be used without user login. When open a vm console, and open the source of page, we get the real link of novnc console. we are able to access the novnc console on other browsers/servers/ via the link, without user login. This is a potential security issue. We have two options (1) add source IP of client to encrypted token, and check the client IP after token decryption when access the vm console. we need to make sure - IP to management server and CPVM (console proxy vm) are same. - If the new browser/session has same outgoing IP as old session, it will still be able to access the vm console. to be clear, these two files need to be changed https://github.com/apache/cloudstack/blob/master/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java and https://github.com/apache/cloudstack/blob/master/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java (2) save the access ticket to database when vm console, access ticket will be generated and saved into database. When access the console, management server will check the params to see if vm is valid and access ticket is not expired.,etc. It will also check if token is valid and has been not used. ##### ISSUE TYPE <!-- Pick one below and delete the rest --> * Bug Report ##### COMPONENT NAME <!-- Categorize the issue, e.g. API, VR, VPN, UI, etc. --> ~~~ NoVNC console ~~~ ##### CLOUDSTACK VERSION <!-- New line separated list of affected versions, commit ID for issues on master branch. --> ~~~ 4.15/master ~~~ ##### CONFIGURATION <!-- Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise --> ##### OS / ENVIRONMENT <!-- Information about the environment if relevant, N/A otherwise --> ##### SUMMARY <!-- Explain the problem/feature briefly --> ##### STEPS TO REPRODUCE <!-- For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate. For new features, show how the feature would be used. --> <!-- Paste example playbooks or commands between quotes below --> 1. open a vm console example:  2. view the source of the page example ``` <html><title>v-1-VM</title><frameset><frame src="https://10-135-126-207.cloud.leaseweb.net/resource/noVNC/vnc.html?port=8080&token=I-QW-IpdDhf3i82rJP_WctztYaq15O6ZP1Mya9F1VspNwDHDhXhQjRqO-ubZMM6YwJkfDNNEShT1K1XZmrnZvmv9ro504qoPqEuC9go5UlrQqBdJga-DAWaFKg0pv_QGo3xhGy4VSNCuj_N86ILC8wAQjmaqbSxyqFFfAlEc8UHxuyGiZG4YpHNnM6je3V82IV555AfnA1-3oyXh5tp9X-Bd7zeXRGIprt7_lwTnGxLgvdk06AoGseD4YabpB_aJLpvx3RfxuHD7hR1IrOrl9g";></frame></frameset></html> ``` 3. open the link on other server. It will not work at the first time, but works after refresh (related to #4531 )  <!-- You can also paste gist.github.com links for larger files --> ##### EXPECTED RESULTS <!-- What did you expect to happen when running the steps above? --> ~~~ The link in page source should NOT work in other servers, without login ~~~ ##### ACTUAL RESULTS <!-- What actually happened? --> <!-- Paste verbatim command output between quotes below --> ~~~ We are able to access the vm console via the URL in page source, without login. ~~~ ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
