OpenStack Dashboard (Horizon) contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the 'next' parameter upon submission to the auth/login/ script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been committed to the CVS/GIT repository that addresses this vulnerability. Until it is incorporated into the next release of the software, manually patching an existing installation is the only known available solution. Check the vendor advisory or solution URL in the references section.

• CVE ID: 2012-3540 (see also: NVD)
• Secunia Advisory ID: 50480 50532
• Mail List Post: http://www.openwall.com/lists/oss-security/2012/08/30/4
• Vendor Specific News/Changelog Entry: http://www.ubuntu.com/usn/usn-1565-1/
  https://bugs.launchpad.net/horizon/+bug/1039077
• Vendor Specific Solution URL: https://review.openstack.org/#/c/12193/

• Thomas Biege - SuSE Security Team