[Yahoo-eng-team] [Bug 1394370] Re: [OSSA 2014-040] horizon login page is vulnerable to DOS attack (CVE-2014-8124)

Wed, 10 Dec 2014 08:17:00 -0800 

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1394370

Title:
  [OSSA 2014-040] horizon login page is vulnerable to DOS attack
  (CVE-2014-8124)

Status in OpenStack Dashboard (Horizon):
  Fix Committed
Status in OpenStack Dashboard (Horizon) icehouse series:
  Fix Committed
Status in OpenStack Dashboard (Horizon) juno series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  We have horizon deployed with mysql sessions.   I believe this issue
  exists with all db backed sessions, and likely memchached too (but I
  am not sure).

  Every request to the login page is generating a new session record in the db. 
 This is based upon this line of code:
  
https://github.com/django/django/blob/master/django/contrib/sessions/backends/db.py#L41
  What happens is as soon as you access request.session['foo'] then you are 
going to get an entry in the db.

  I have placed some debugging code in a variety of locations where we
  are accessing the session store before we should be, which creates
  these records:

  https://github.com/openstack/horizon/blob/master/horizon/middleware.py#L94
  The check for the timeout should never occur if there is no authenticated 
user.   So the check a few lines below needs to be moved higher.

  
https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L50
  This check I am not sure how to work around.  We are accessing the session, 
which creates records, just trying to keep track if a user is logged in or not. 
  It seems like we are not using the django auth mechanisms correctly here, and 
I can't see if there is a workaround.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1394370/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to