[Openstack-security] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack

Matthias Runge 1457551 at bugs.launchpad.net
Fri Jul 17 08:04:44 UTC 2015


Kilo supports django-1.7.x
Horizon in Juno (and esp. django_openstack_auth) support only Django-1.6.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1457551

Title:
  Another Horizon login page vulnerability to a DoS attack

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  This bug is very similar to: https://bugs.launchpad.net/bugs/1394370

  Steps to reproduce:
  1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL.
  2)  Run 'for i in {1..100}; do  curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal.
  I've got 100 rows in django_session after this.

  I've used devstack installation just with updated master branch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions




More information about the Openstack-security mailing list