Regex check failed leads to CORS bypass in jgraph/drawio

Valid

Reported on

May 16th 2022


Description

ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with *.draw.io, *.diagrams.net and *.quipelements.com. However, I found that regex to match must not start with ^ leads to bypass.

Proof of Concept

Step 1: Call this request

/GET /proxy?url=https://draw.io HTTP/1.1
Host: app.diagrams.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Referer: https://www.google.com/url=https://x123.draw.io/last
Te: trailers
Connection: close


Step 2: You can see header "Access-Control-Allow-Origin: https://www.google.com/url=https://x123.draw.io"

Impact

This leads to bypassing the resource sharing mechanism, third party websites can read resources from app.diagrams.net.

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
David Benson
a month ago

Hi, please could you provide a PoC attack for this? To score 9.1 I need a concrete example that demonstrates why the integrity and confidentially are scored high in this case. Thanks.

nhiephon
a month ago

Researcher


You can re-evaluate a reasonable score for this vulnerability. I have no experience with scoring related to CORS bugs, I only give a visual rating based on 3rd website being able to access data from draw.io.

Regards.

David Benson
a month ago

Thanks. When you say a 3rd party website can access data, do you mean data or resources? Data is obviously serious, but this case is resources, yes?

David Benson modified the Severity from Critical to None a month ago
David Benson modified the Severity from None to None (0) a month ago
nhiephon
a month ago

Researcher


I have consulted some CORS related vulns, scores are usually low/medium. I don't think it's appropriate to score 0 in this case.

Regards.

David Benson
a month ago

Hi, there is a scoring system built into this app. It rates based on the values given for the various factors. I marked integrity and confidentially as none.

I happy to discuss, but what exactly is the attack here? That another site can load our resources? What is the exact attack?

We have contacted a member of the jgraph/drawio team and are waiting to hear back a month ago
David Benson
a month ago

Hi, please provide details of the attack. The proxy does not serve non-public content. The check may well be incorrect, but all that would happen is public content would be served via the proxy, the severity of this is trivial. Thanks.

David Benson modified the Severity from None to Low a month ago
David Benson
a month ago

We'll say low.

nhiephon
a month ago

Researcher


I think you can close this report with low severity. I don't have any poc to increase severity.

Regards.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability a month ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on c63f3a a month ago
The fix bounty has been dropped
ProxyServlet.java#L315-L336 has been validated
to join this conversation