1968760 – openstack-nova: novnc allows open redirection [openstack-17.0]

Bug 1968760 - openstack-nova: novnc allows open redirection [openstack-17.0]

Summary: openstack-nova: novnc allows open redirection [openstack-17.0]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	Alpha
Target Release:	17.0
Assignee:	melanie witt
QA Contact:	James Parker
Docs Contact:
URL:
Whiteboard:
Depends On:	1961337
Blocks:	1961346 1961351
TreeView+	depends on / blocked

Reported:	2021-06-07 22:38 UTC by melanie witt
Modified:	2022-09-21 12:16 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-nova-23.2.2-0.20220705171705.7074ac0.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1961337
Environment:
Last Closed:	2022-09-21 12:15:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1927677	None	None	None	2021-06-07 22:38:28 UTC
OpenStack gerrit	791577	None	NEW	Reject open redirection in the console proxy	2021-06-07 22:38:28 UTC
OpenStack gerrit	805654	None	MERGED	address open redirect with 3 forward slashes	2021-11-18 03:39:07 UTC
Red Hat Issue Tracker	OSP-4437	None	None	None	2021-11-18 03:40:58 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:16:42 UTC

Description melanie witt 2021-06-07 22:38:29 UTC

+++ This bug was initially created as a clone of Bug #1961337 +++

Copied from the upstream bug [1]:

"This bug report is related to Security.

Currently novnc is allowing open direction, which could potentially be used for phishing attempts

To test.
https://<sites' vnc domain>//example.com/%2F..
include .. at the end

For example:
http://vncproxy.my.domain.com//example.com/%2F..

It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain.

The description of the risk is
By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance."

[1] https://bugs.launchpad.net/nova/+bug/1927677

Comment 11 errata-xmlrpc 2022-09-21 12:15:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.