Origin Validation Error in zoujingli/thinkadmin

Valid

Reported on

Aug 25th 2021

✍️ Description

The application implements a cross-origin resource sharing (CORS) policy for requests that allows access from any domain.

🕵️‍♂️ Proof of Concept

Request

GET /data/shop.goods/index.html HTTP/2
Host: testdomain11.com
Cookie: lang=zh-cn; PHPSESSID=45780759c5ea6ae0be9cfc95fde04bc9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers

Origin: https://evilsite.com

Response:

HTTP/2 200 OK
Server: nginx
Date: Wed, 25 Aug 2021 12:02:02 GMT
Content-Type: application/json; charset=utf-8

Access-Control-Allow-Origin: https://evilsite.com

Access-Control-Allow-Methods: GET,PUT,POST,PATCH,DELETE
Access-Control-Allow-Headers: Authorization,Content-Type,If-Match,If-Modified-Since,If-None-Match,If-Unmodified-Since,X-Requested-With,Api-Name,Api-Type,Api-Token,User-Form-Token,User-Token,Token
Access-Control-Expose-Headers: Api-Name,Api-Type,Api-Token,User-Form-Token,User-Token,Token
Access-Control-Allow-Credentials: true
Set-Cookie: lang=zh-cn; path=/; secure; HttpOnly; SameSite=none
Set-Cookie: PHPSESSID=45780759c5ea6ae0be9cfc95fde04bc9; path=/; secure; HttpOnly; SameSite=none
Strict-Transport-Security: max-age=31536000

💥 Impact

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way. The web application fails to properly validate the Origin header and returns the header Access-Control-Allow-Credentials: true.

In this configuration any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago
邹景立
2 years ago

Maintainer

Origin will automatically change according to the request address to generate CORS rules, which is open to our front-end project requirements. If you need to restrict the domain name of CORS, you just need to configure access rules, that is, the CORS rules of thinklibrary. We will consider adding custom authorized domain name configuration later.

邹景立
2 years ago

Maintainer

The CORS configuration has been added to thinklibrary. You can see it by updating thinklibrary with composer. CORS can be configured in config / app.cors_auto and app.cors_host parameter, cors_host means auto adapt CORS rules, cors_host indicates that CORS access is only allowed for the current domain name.

https://github.com/zoujingli/ThinkLibrary/blob/v6.0/src/Library.php#L103

邹景立 validated this vulnerability 2 years ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 marked this as fixed with commit 26e92b 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
邹景立
2 years ago

Maintainer

This bug does not point to the author of the problem correction. Can you restart it?

to join this conversation