Reviewed: https://review.opendev.org/c/openstack/horizon/+/857740 Committed: https://opendev.org/openstack/horizon/commit/79d139594290779b2f74ca894332aa7f2f7e4735 Submitter: "Zuul (22348)" Branch: master
commit 79d139594290779b2f74ca894332aa7f2f7e4735 Author: manchandavishal <[email protected]> Date: Wed Sep 14 22:17:58 2022 +0530 Fix success_url parameter issue for Edit Snapshot The "success_url" param is used when updating the project snapshot [1] and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website. This patch update 'Updateview' class to not use the "sucess_url" method. Closes-bug: #1982676 [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109 Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1982676 Title: Open redirect / phishing attack via "success_url" parameter in OpenStack Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Security Advisory: Incomplete Bug description: The "success_url" param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website. For instance, the URL below will redirect you to https://hacker.com: https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com The attacker can send this link to the user and when they click on the "Update" button the request and response will look like this: [+] Request POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1 Host: xxx.com Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 <====================>SNIP<====================> csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description= [+] Response HTTP/1.1 302 Found date: Tue, 12 Jul 2022 10:14:38 GMT server: Apache/2.4.41 (Ubuntu) location: https://hacker.com content-length: 0 x-horizon-location: https://hacker.com x-frame-options: SAMEORIGIN vary: Accept-Language,Cookie content-language: en <====================>SNIP<====================> Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack. CWE-601: URL Redirection to Untrusted Site ('Open Redirect') http://cwe.mitre.org/data/definitions/601.html I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven't tested the bug on other versions. Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1982676/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
