Russel Bryant (rbryant) from the OpenStack Project reports: Title: Open redirect through 'next' parameter Impact: Medium Reporter: Thomas Biege (SUSE) Products: Horizon Affects: Essex Description: Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted. Only setups running Essex are affected. Proposed patch: See attached diff. This proposed patch will be merged into the stable/essex branch on the public disclosure date.
Created attachment 607380 [details] CVE-2012-3540-auth_forms.patch
Created python-django-horizon tracking bugs for this issue Affects: fedora-17 [bug 853241]
Created python-django-horizon tracking bugs for this issue Affects: epel-6 [bug 853243]
This is now public https://lists.launchpad.net/openstack/msg16281.html
Upstream patch: https://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b
Acknowledgements: Red Hat would like to thank Thomas Biege of SUSE for reporting this issue.
This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1380 https://rhn.redhat.com/errata/RHSA-2012-1380.html