[Openstack-security] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack

Robert Clark 1457551 at bugs.launchpad.net
Wed Sep 2 21:53:22 UTC 2015 

** Changed in: ossn
       Status: New => Fix Committed

** Changed in: ossn
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1457551

Title:
  Another Horizon login page vulnerability to a DoS attack

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Committed

Bug description:
  This bug is very similar to: https://bugs.launchpad.net/bugs/1394370

  Steps to reproduce:
  1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL.
  2)  Run 'for i in {1..100}; do  curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal.
  I've got 100 rows in django_session after this.

  I've used devstack installation just with updated master branch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions

More information about the Openstack-security mailing list