This has been published as OSSN-0054: https://wiki.openstack.org/wiki/OSSN/OSSN-0054
** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): Won't Fix Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp