| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201607232011.u6NKBmOP020847@sf01web2.securityfocus.com>
Date: Sat, 23 Jul 2016 20:11:48 GMT
From: mgill@...fee.me
To: bugtraq@...urityfocus.com
Subject: Autobahn|Python Insecure allowedOrigins validation >= 0.14.1
Observation:
Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set. This can allow third parties to execute legitimate requests for WAMP WebSocket requests against an Autobahn|Python/Crossbar.io server within another browser's context.
Proof of Concept:
The following will set
```
class OriginCheckServerFactory(WebSocketServerFactory):
protocol = ...arbitrary entry here...
def __init__(self, url):
WebSocketServerFactory.__init__(self, url)
self.setProtocolOptions(allowedOrigins=[u"127.0.0.1",u"*.example.com"])
```
Then the following connection request will result in a valid 101 Protocol Switch Response:
```
GET /ws HTTP/1.1
Host: www.example.com
Sec-WebSocket-Version: 13
Origin: http://www.example.com.malicious.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: tXAxWFUqnhi86Ajj7dRY5g==
Connection: keep-alive, Upgrade
Upgrade: websocket
```
This is due to the wildcard2patterns function, which turns `u"*.example.com"` into `r".*\.example\.com"`. This regex pattern is then matched against the complete incoming origin value(https://github.com/crossbario/autobahn-python/blob/1c86fefa733901247d6439af346d77cbb58a9bf4/autobahn/websocket/protocol.py#L2588).
Remediation:
This issue was fixed within Autobahn|Python 0.15.0 (https://autobahn-python.readthedocs.io/en/latest/changelog.html#id2)
Powered by blists - more mailing lists