Thirdparty site authorization header leak in sparklemotion/mechanize

Valid

Reported on

Apr 28th 2022

Description

mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting, resulting in the disclosure of authentication and cookie request header. An attacker can use this vulnerability to passively steal the user's authentication and cookie data.

mechanize does not remove headers 'Authorization' and 'Cookie' when transmitting across different ports on the same host

Proof of Concept

it will request B with Authorization/Cookie header when received a 302 redirect from A.

// PoC.js
require 'rubygems'
require 'mechanize'
agent = Mechanize.new
cookie = Mechanize::Cookie.new("JSESSIONID", "BA58528B76124698AD033EE6DF12B986")
cookie.domain = "localhost"
cookie.path = "/"
agent.cookie_jar.add!(cookie)
page = agent.get('http://A:3399/auth')

Impact

unauthorized interception and/or retrieval.

Occurrences

We are processing your report and will contact the sparklemotion/mechanize team within 24 hours. a year ago
wochicheng modified the report
a year ago
We have contacted a member of the sparklemotion/mechanize team and are waiting to hear back a year ago
sparklemotion/mechanize maintainer
a year ago

Maintainer

Thank you for reporting this. I will investigate.

We have sent a follow up to the sparklemotion/mechanize team. We will try again in 7 days. a year ago
We have sent a second follow up to the sparklemotion/mechanize team. We will try again in 10 days. a year ago
sparklemotion/mechanize maintainer has acknowledged this report a year ago
Mike Dalessio
a year ago

Maintainer

Confirmed, will be generating a CVE for this issue and patching in an upcoming Mechanize release.

I will credit you as github user @wochicheng. Please let me know if you have a name you would prefer me to use.

Thank you!

Mike Dalessio modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Mike Dalessio validated this vulnerability a year ago

@admin please do not generate a CVE, one has already been requested.

wochicheng has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mike Dalessio
a year ago

Maintainer

CVE has been generated: CVE-2022-31033

Mike Dalessio marked this as fixed in v2.8.5 with commit 907c77 a year ago
Mike Dalessio has been awarded the fix bounty
This vulnerability will not receive a CVE
agent.rb#L1001 has been validated
Mike Dalessio
a year ago

Maintainer

Mechanize v2.8.5 has been released patching this vulnerability.

wochicheng
a year ago

Researcher

Please credit as Kaibo Sun at Murphysec, thanks a lot.

to join this conversation