Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1961337

Summary: novnc allowing open direction which could potentially be used for phishing
Product: Red Hat OpenStack Reporter: melanie witt <mwitt>
Component: openstack-novaAssignee: melanie witt <mwitt>
Status: CLOSED MIGRATED QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 18.0 (Zed)CC: alifshit, dasmith, eglynn, jhakimra, kchamart, sbauza, sgordon, vromanso
Target Milestone: gaKeywords: Security, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-27.1.1-18.0.20230930093334.a869ab1.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1961346 1968760 (view as bug list) Environment:
Last Closed: 2024-01-11 14:52:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1961346, 1961351, 1968760    

Description melanie witt 2021-05-17 17:58:48 UTC 
Copied from the upstream bug [1]:

"This bug report is related to Security.

Currently novnc is allowing open direction, which could potentially be used for phishing attempts

To test.
https://<sites' vnc domain>//example.com/%2F..
include .. at the end

For example:
http://vncproxy.my.domain.com//example.com/%2F..

It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain.

The description of the risk is
By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance."

[1] https://bugs.launchpad.net/nova/+bug/1927677