Regex check failed leads to CORS bypass in jgraph/drawio

Valid

Reported on

May 16th 2022

Description

ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with *.draw.io, *.diagrams.net and *.quipelements.com. However, I found that regex to match must not start with ^ leads to bypass.

Proof of Concept

Step 1: Call this request

/GET /proxy?url=https://draw.io HTTP/1.1
Host: app.diagrams.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Referer: https://www.google.com/url=https://x123.draw.io/last
Te: trailers
Connection: close

Step 2: You can see header "Access-Control-Allow-Origin: https://www.google.com/url=https://x123.draw.io"

Impact

This leads to bypassing the resource sharing mechanism, third party websites can read resources from app.diagrams.net.

We are processing your report and will contact the jgraph/drawio team within 24 hours. a year ago
David Benson
a year ago

Maintainer

Hi, please could you provide a PoC attack for this? To score 9.1 I need a concrete example that demonstrates why the integrity and confidentially are scored high in this case. Thanks.

nhiephon
a year ago

Researcher

You can re-evaluate a reasonable score for this vulnerability. I have no experience with scoring related to CORS bugs, I only give a visual rating based on 3rd website being able to access data from draw.io.

Regards.

David Benson
a year ago

Maintainer

Thanks. When you say a 3rd party website can access data, do you mean data or resources? Data is obviously serious, but this case is resources, yes?

David Benson modified the Severity from Critical to None a year ago
David Benson modified the Severity from None to None (0) a year ago
nhiephon
a year ago

Researcher

I have consulted some CORS related vulns, scores are usually low/medium. I don't think it's appropriate to score 0 in this case.

Regards.

David Benson
a year ago

Maintainer

Hi, there is a scoring system built into this app. It rates based on the values given for the various factors. I marked integrity and confidentially as none.

I happy to discuss, but what exactly is the attack here? That another site can load our resources? What is the exact attack?

We have contacted a member of the jgraph/drawio team and are waiting to hear back a year ago
David Benson
a year ago

Maintainer

Hi, please provide details of the attack. The proxy does not serve non-public content. The check may well be incorrect, but all that would happen is public content would be served via the proxy, the severity of this is trivial. Thanks.

David Benson modified the Severity from None to Low a year ago
David Benson
a year ago

Maintainer

We'll say low.

nhiephon
a year ago

Researcher

I think you can close this report with low severity. I don't have any poc to increase severity.

Regards.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 18.0.7 with commit c63f3a a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ProxyServlet.java#L315-L336 has been validated
to join this conversation