Bug 1077447 - [ovirt][engine-api] Force switch HTTPS to HTTP in REST API
Summary: [ovirt][engine-api] Force switch HTTPS to HTTP in REST API
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-api
Version: 3.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.4.0
Assignee: Alon Bar-Lev
QA Contact: Pavel Stehlik
URL:
Whiteboard: integration
Depends On:
Blocks: 1024889
TreeView+ depends on / blocked
 
Reported: 2014-03-18 03:23 UTC by lzhuang
Modified: 2014-03-31 12:28 UTC (History)
13 users (show)

Fixed In Version: ovirt-3.4.0-ga
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-31 12:28:24 UTC
oVirt Team: ---


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 25826 0 None MERGED packaging: spec: enforce ssl on legacy restapi Never
oVirt gerrit 25827 0 None MERGED packaging: spec: enforce ssl on legacy restapi Never
oVirt gerrit 25828 0 None MERGED packaging: spec: enforce ssl on legacy restapi Never

Description lzhuang 2014-03-18 03:23:00 UTC
Description of problem:
Attackers can force switch all the REST APIs(https://<host_ip>/api) from HTTPS into HTTP, so attackers can induce the victim user using crafted html page for eavesdropping user credentials like authorization token.

Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3

How reproducible:
100%

Steps to Reproduce:
1. Open http://<host_ip>/api in browser

Actual results:
Browser successfully opens the page

Expected results:
Should force switch to https://<host_ip>/api

Additional info:

Comment 1 Alon Bar-Lev 2014-03-18 10:30:08 UTC
This was kept for backward compatibility as HTTP redirect is not mandatory in Rest API.

It is up to the 3rd party to select the channel to use.

Comment 2 Juan Hernández 2014-03-18 10:43:04 UTC
What backwards compatibility? The previous version didn't accept non encrypted connections.

Comment 3 Alon Bar-Lev 2014-03-18 10:56:27 UTC
(In reply to Juan Hernández from comment #2)
> What backwards compatibility? The previous version didn't accept non
> encrypted connections.

Correct.

My bad[1]

Was confused with other application.

[1] http://gerrit.ovirt.org/#/c/6827/

Comment 4 Juan Hernández 2014-03-18 11:04:36 UTC
Sandro, I think that 3.4.0 shouldn't be released without the fix for this bug.

Comment 5 Juan Hernández 2014-03-18 11:05:31 UTC
Can we make this bug public, please?

Comment 6 Alon Bar-Lev 2014-03-18 11:31:45 UTC
Removing restriction as impact is not that high.

Comment 7 Kurt Seifried 2014-03-21 20:38:24 UTC
SRT Note: this is a security hardening issue and not a security vulnerability, so no CVE/etc.

Comment 8 Kurt Seifried 2014-03-24 19:06:22 UTC
Some notes: I would suggest you add a permanent redirect (301 moved permanently) to the HTTP pointing at the HTTPS, and then to prevent HTTP use in future add an HSTS header http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Comment 9 Sandro Bonazzola 2014-03-31 12:28:24 UTC
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released


Note You need to log in before you can comment on or make changes to this bug.