Thirdparty site authorization header leak in sparklemotion/mechanize
Apr 28th 2022
mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting, resulting in the disclosure of authentication and cookie request header. An attacker can use this vulnerability to passively steal the user's authentication and cookie data.
mechanize does not remove headers 'Authorization' and 'Cookie' when transmitting across different ports on the same host
Proof of Concept
it will request B with Authorization/Cookie header when received a 302 redirect from A.
// PoC.js require 'rubygems' require 'mechanize' agent = Mechanize.new cookie = Mechanize::Cookie.new("JSESSIONID", "BA58528B76124698AD033EE6DF12B986") cookie.domain = "localhost" cookie.path = "/" agent.cookie_jar.add!(cookie) page = agent.get('http://A:3399/auth')
unauthorized interception and/or retrieval.
Thank you for reporting this. I will investigate.
Confirmed, will be generating a CVE for this issue and patching in an upcoming Mechanize release.
I will credit you as github user
@wochicheng. Please let me know if you have a name you would prefer me to use.
@admin please do not generate a CVE, one has already been requested.
CVE has been generated: CVE-2022-31033
Mechanize v2.8.5 has been released patching this vulnerability.
Please credit as Kaibo Sun at Murphysec, thanks a lot.