Hi,
we opened a bug at OpenStack, 3 month ago, but nobody takes care about it. Due
to the OpenStack guidlines the bug report is now public readable.
https://bugs.launchpad.net/horizon/+bug/1980349
I am not a security expert and do not know how bad this bug is, there is now
CVE and so on. Please be kind.
# Description of the bug
We use OpenStack horizon in the following version: `git+https://opendev.org/
openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`
In Horizon there is the following code in Xena:
openstack_auth/views.py
```
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
...
```
This call is usually called during SAML-Auth, but you can call it on the
command line like this:
``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://
referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw
'token=mytoken'
``
The token is not checked.
So an attacker can control the content of the HTTP_REFERER and then an auth
POST request will be sent to this address.
I have changed the referer to a web server https://webserver/su-huhu/ and you
can find inside the logfile:
```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /
su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth
keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```
# Impact
* An attacker can hide his ip and do a brute force attack to any other ip via
all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then
send some ugly results (e.g. very long, never ending, wrong json code, ssl
protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if
it is behind a firewall, use DNS Servers with private zones). Note that you are
able to change the port number to any number. I have not tested, but perhaps
it is also possible to change the protocol to another value, let's say:
imap://user:passwort@ip/.
# Is this only relevant for xena
The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
```
only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid
to call this.