[Openstack-security] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack

Robert Clark 1457551 at bugs.launchpad.net
Wed Sep 2 20:55:07 UTC 2015 

Security project is happy to create an OSSN for this but we're waiting
for the upstream fix to provide complete guidance to OpenStack consumers
on how to mitigate this issue.

** Changed in: ossn
     Assignee: (unassigned) => Robert Clark (robert-clark)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1457551

Title:
  Another Horizon login page vulnerability to a DoS attack

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  This bug is very similar to: https://bugs.launchpad.net/bugs/1394370

  Steps to reproduce:
  1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL.
  2)  Run 'for i in {1..100}; do  curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal.
  I've got 100 rows in django_session after this.

  I've used devstack installation just with updated master branch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions

More information about the Openstack-security mailing list