[Openstack-security] [Bug 1454074] Re: denial of service via large number of logout page requests

Lin Hua Cheng 1454074 at bugs.launchpad.net
Fri Aug 21 15:53:20 UTC 2015 

** Changed in: horizon
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1454074

Title:
  denial of service via large number of logout page requests

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  While investigating CVE-2014-8124
  (https://bugs.launchpad.net/horizon/+bug/1394370) I think I found
  another instance of the underlying issue, but with the logout form.

  I'm on Ubuntu 14.04 LTS, with distro-packaged openstack-dashboard
  1:2014.1.4-0ubuntu2. I verified the patch from
  https://review.openstack.org/140356 is applied to the installed files.
  I configured horizon to use mysql datastore, and ran the following
  command:

  while true ; do wget http://localhost/horizon/auth/logout/ ; done

  While this command was running I checked the mysql dash database table
  django_sessions and found it growing without apparent bound:

  select * from django_session;
  ...
  231 rows in set (0.00 sec)

  Is this an issue?

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1454074/+subscriptions

More information about the Openstack-security mailing list