OSSA-2012-012: Open redirect through ‘next’ parameter

OSSA-2012-012: Open redirect through ‘next’ parameter

Date:August 30, 2012
CVE:CVE-2012-3540

Affects

  • Horizon: Essex (2012.1)

Description

Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious ‘next’ parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted. Only setups running Essex are affected.

Credits

  • Thomas Biege from SUSE (CVE-2012-3540)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.