Thirdparty site authorization header leak in sparklemotion/mechanize

Valid

Reported on

Apr 28th 2022


Description

mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting, resulting in the disclosure of authentication and cookie request header. An attacker can use this vulnerability to passively steal the user's authentication and cookie data.

mechanize does not remove headers 'Authorization' and 'Cookie' when transmitting across different ports on the same host

Proof of Concept

it will request B with Authorization/Cookie header when received a 302 redirect from A.

// PoC.js
require 'rubygems'
require 'mechanize'
agent = Mechanize.new
cookie = Mechanize::Cookie.new("JSESSIONID", "BA58528B76124698AD033EE6DF12B986")
cookie.domain = "localhost"
cookie.path = "/"
agent.cookie_jar.add!(cookie)
page = agent.get('http://A:3399/auth')

Impact

unauthorized interception and/or retrieval.

Occurrences

We are processing your report and will contact the sparklemotion/mechanize team within 24 hours. 2 months ago
wochicheng modified the report
2 months ago
We have contacted a member of the sparklemotion/mechanize team and are waiting to hear back 2 months ago
sparklemotion/mechanize maintainer
2 months ago

Thank you for reporting this. I will investigate.

We have sent a follow up to the sparklemotion/mechanize team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the sparklemotion/mechanize team. We will try again in 10 days. 2 months ago
sparklemotion/mechanize maintainer has acknowledged this report 2 months ago
Mike Dalessio
19 days ago

Confirmed, will be generating a CVE for this issue and patching in an upcoming Mechanize release.

I will credit you as github user @wochicheng. Please let me know if you have a name you would prefer me to use.

Thank you!

Mike Dalessio modified the Severity from Medium to Low 19 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Mike Dalessio validated this vulnerability 19 days ago

@admin please do not generate a CVE, one has already been requested.

wochicheng has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mike Dalessio
18 days ago

CVE has been generated: CVE-2022-31033

Mike Dalessio confirmed that a fix has been merged on 907c77 16 days ago
Mike Dalessio has been awarded the fix bounty
agent.rb#L1001 has been validated
Mike Dalessio
16 days ago

Mechanize v2.8.5 has been released patching this vulnerability.

wochicheng
16 days ago

Researcher


Please credit as Kaibo Sun at Murphysec, thanks a lot.

to join this conversation