Origin validation Bypass in ikus060/rdiffweb

Valid

Reported on

Oct 6th 2022

In the following python script

    if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
        origin = request.headers.get('Origin', None)
        if origin and not origin.startswith(request.base):
            raise cherrypy.HTTPError(403, 'Unexpected Origin header')

Explanation:

In the above lines of code, The origin is being only validated from the start of domain name only https://rdiffweb-demo.ikus-soft.com. But it isn't validated after the actual domain name https://rdiffweb-demo.ikus-soft.com .nithissh.com

For Example,

If we enter the following domain https://nithissh.com.rdiffweb-demo.ikus-soft.com as an origin and then the origin header being validated and returns a 403 status as expected in the code

But Now we can bypass the above validation check, By a creating subdomain after the soft.com.^ as follows https://rdiffweb-demo.ikus-soft.com .nithissh.com.

Impact

These kind of origin validation bypasses helps in chaining with other vulnerabilities like CSRF, XSS and Clickjack as well

Remediation

This is a snippet of regex for a user input and we can make use of this in the Origin header validation as well

import re

def use_regex(input_text):
    pattern = re.compile(r"^rdiffweb-demo\.ikus-soft\.com$", re.IGNORECASE)
    return pattern.match(input_text)
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a year ago
Patrik Dufresne modified the Severity from Medium (6.5) to Medium (4.8) a year ago
Patrik Dufresne
a year ago

Maintainer

@Nithissh12

It's very unlikely to work since Rdiffweb is installed behind a reverse proxy that would not know how to respond to "https://rdiffweb-demo.ikus-soft.com .nithissh.com"

Have you been able to exploit this vulnerability with rdiffweb-demo.ikus-soft.com ?

Nithissh12
a year ago

Researcher

It isn’t possible as of now but In future we can able to use this vulnerability to exploit such vulnerabilities like XSS, CSRF in future

We have sent a follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago
Patrik Dufresne modified the Severity from Medium (4.8) to Low (3.7) a year ago
Patrik Dufresne assigned a CVE to this report a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability a year ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nithissh12
a year ago

Researcher

Thanks Patrik, Have a great day ahead

Nithissh12
a year ago

Researcher

@admin Is it possible to collaborator here ?

Pavlos
a year ago

Admin

Hey @nithissh12 unfortunately we don't support collaboration just yet...

Patrik Dufresne marked this as fixed in 2.5.0a5 with commit afc1bd a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
secure_headers.py#L60-L63 has been validated
Patrik Dufresne published this vulnerability a year ago
to join this conversation