Regex check failed leads to CORS bypass in jgraph/drawio
May 16th 2022
ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with *.draw.io, *.diagrams.net and *.quipelements.com. However, I found that regex to match must not start with ^ leads to bypass.
Proof of Concept
Step 1: Call this request
/GET /proxy?url=https://draw.io HTTP/1.1 Host: app.diagrams.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Referer: https://www.google.com/url=https://x123.draw.io/last Te: trailers Connection: close
Step 2: You can see header "Access-Control-Allow-Origin: https://www.google.com/url=https://x123.draw.io"
This leads to bypassing the resource sharing mechanism, third party websites can read resources from app.diagrams.net.
Hi, please could you provide a PoC attack for this? To score 9.1 I need a concrete example that demonstrates why the integrity and confidentially are scored high in this case. Thanks.
You can re-evaluate a reasonable score for this vulnerability. I have no experience with scoring related to CORS bugs, I only give a visual rating based on 3rd website being able to access data from draw.io.
Thanks. When you say a 3rd party website can access data, do you mean data or resources? Data is obviously serious, but this case is resources, yes?
I have consulted some CORS related vulns, scores are usually low/medium. I don't think it's appropriate to score 0 in this case.
Hi, there is a scoring system built into this app. It rates based on the values given for the various factors. I marked integrity and confidentially as none.
I happy to discuss, but what exactly is the attack here? That another site can load our resources? What is the exact attack?
Hi, please provide details of the attack. The proxy does not serve non-public content. The check may well be incorrect, but all that would happen is public content would be served via the proxy, the severity of this is trivial. Thanks.
We'll say low.
I think you can close this report with low severity. I don't have any poc to increase severity.