Headline
CVE-2022-42975: Fix wildcard check_origin vulnerability. · phoenixframework/phoenix@6e7185b
socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.
Permalink
Browse files
Fix wildcard check_origin vulnerability.
Previously, our documentation points to a wilcard example of:
check\_origin: \[
"//\*.other.com"
\]
Which should allow any subdomain of "other.com", but our comparison for `"//*.other.com"` would allow `api.any-other.com`, which would allow an attacker to register a domain with a custom prefix of a target domain and pass origin checks. This patch ensures the `String.ends_with?` check includes the subdomain dot prefix.
Who is affected?
Only those using a wildcard check origin are affected, and potential exploits are limited to allowing unauthenticated channel connections from a bad host. Because LiveView adds its own csrf token to the connection by default, LiveView applications with wildcard check origin would refuse connection under this scenario. Additionally, channel applications utilizing token based authentication would require the attacker to also have a valid token to connection from a bad host. Phoenix channels does not allow access to cookies, so an attacker would also not be able to pass their own cookies from a bad host.
- Loading branch information
Related news
socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.