Origin validation Bypass in ikus060/rdiffweb

Valid

Reported on

Oct 6th 2022


In the following python script

    if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
        origin = request.headers.get('Origin', None)
        if origin and not origin.startswith(request.base):
            raise cherrypy.HTTPError(403, 'Unexpected Origin header')

Explanation:

In the above lines of code, The origin is being only validated from the start of domain name only https://rdiffweb-demo.ikus-soft.com. But it isn't validated after the actual domain name https://rdiffweb-demo.ikus-soft.com .nithissh.com

For Example,

If we enter the following domain https://nithissh.com.rdiffweb-demo.ikus-soft.com as an origin and then the origin header being validated and returns a 403 status as expected in the code

But Now we can bypass the above validation check, By a creating subdomain after the soft.com.^ as follows https://rdiffweb-demo.ikus-soft.com .nithissh.com.

Impact

These kind of origin validation bypasses helps in chaining with other vulnerabilities like CSRF, XSS and Clickjack as well

Remediation

This is a snippet of regex for a user input and we can make use of this in the Origin header validation as well

import re

def use_regex(input_text):
    pattern = re.compile(r"^rdiffweb-demo\.ikus-soft\.com$", re.IGNORECASE)
    return pattern.match(input_text)
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 2 months ago
Patrik Dufresne modified the Severity from Medium (6.5) to Medium (4.8) 2 months ago
Patrik Dufresne
2 months ago

Maintainer


@Nithissh12

It's very unlikely to work since Rdiffweb is installed behind a reverse proxy that would not know how to respond to "https://rdiffweb-demo.ikus-soft.com .nithissh.com"

Have you been able to exploit this vulnerability with rdiffweb-demo.ikus-soft.com ?

Nithissh12
2 months ago

Researcher


It isn’t possible as of now but In future we can able to use this vulnerability to exploit such vulnerabilities like XSS, CSRF in future

We have sent a follow up to the ikus060/rdiffweb team. We will try again in 7 days. 2 months ago
Patrik Dufresne modified the Severity from Medium (4.8) to Low (3.7) 2 months ago
Patrik Dufresne assigned a CVE to this report 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability 2 months ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nithissh12
2 months ago

Researcher


Thanks Patrik, Have a great day ahead

Nithissh12
2 months ago

Researcher


@admin Is it possible to collaborator here ?

Pavlos
2 months ago

Admin


Hey @nithissh12 unfortunately we don't support collaboration just yet...

Patrik Dufresne marked this as fixed in 2.5.0a5 with commit afc1bd 2 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
secure_headers.py#L60-L63 has been validated
Patrik Dufresne published this vulnerability 15 days ago
to join this conversation