Reviewed: https://review.opendev.org/c/openstack/nova/+/791297 Committed: https://opendev.org/openstack/nova/commit/781612b33282ed298f742c85dab58a075c8b793e Submitter: "Zuul (22348)" Branch: master
commit 781612b33282ed298f742c85dab58a075c8b793e Author: melanie witt <[email protected]> Date: Thu May 13 05:43:42 2021 +0000 Reject open redirection in the console proxy Our console proxies (novnc, serial, spice) run in a websockify server whose request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue [1] in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format: http://vncproxy.my.domain.com//example.com/%2F.. which if visited, will redirect a user to example.com. We can intercept a request and reject requests that pass a redirection URL beginning with "//" by implementing the SimpleHTTPRequestHandler.send_head() method containing the vulnerability to reject such requests with a 400 Bad Request. This code is copied from a patch suggested in one of the issue comments [2]. Closes-Bug: #1927677 [1] https://bugs.python.org/issue32084 [2] https://bugs.python.org/issue32084#msg306545 Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: novnc allowing open direction which could potentially be used for phishing Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) train series: New Status in OpenStack Compute (nova) ussuri series: New Status in OpenStack Compute (nova) victoria series: New Status in OpenStack Compute (nova) wallaby series: New Status in OpenStack Security Advisory: Incomplete Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https://<sites' vnc domain>//example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
