Date: Thu, 30 Aug 2012 11:10:16 -0400 From: Russell Bryant <rbryant@...hat.com> To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org Subject: [OSSA 2012-012] Horizon, Open redirect through 'next' parameter (CVE-2012-3542) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-012 CVE: CVE-2012-3542 Date: August 30, 2012 Title: Open redirect through 'next' parameter Impact: Medium Reporter: Thomas Biege (SUSE) Products: Horizon Affects: Essex (2012.1) Description: Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted. Only setups running Essex are affected. Fixes: 2012.1: https://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3542 https://bugs.launchpad.net/horizon/+bug/1039077 Notes: This fix will be included in a future Essex (2012.1) release. - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlA/glMACgkQFg9ft4s9SAYMLACfdRBaonUw/CendCSy2gZh5hxw O64Anjkx1c5i1pfpGEbwNkyRDiALgWhC =5cbg -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.