exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rack-cors Missing Anchor

rack-cors Missing Anchor
Posted Jul 12, 2017
Authored by Jens Mueller

A missing anchor in generated regex for rack-cors versions prior to 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.

tags | advisory
SHA-256 | 9e2393521935f0c2d55d8bbcb87e105d1c088b74bf965cd2698351eafce20ff4

rack-cors Missing Anchor

Change Mirror Download
Missing anchor in generated regex for rack-cors before 0.4.1
allows a malicious third-party site to perform CORS requests.
If the configuration were intended to allow only the trusted
example.com domain name and not the malicious example.net domain name,
then example.com.example.net (as well as example.com-example.net) would
be inadvertently allowed.

------------------------------------------

[Additional Information]
The rack-cors gem can be used to configure CORS access headers for
any web site. A security researcher, Jens Mueller, notified us of
exploitable CORS misconfiguration for the [REDACTED] web site. During
the course of investigation, we realized the rack-cors 0.4.0 gem was
generating regexes without proper trailing anchors for configured
origin domains. The issue is fixed in version 0.4.1 of the gem, but no
attention was drawn to the fix in
https://github.com/cyu/rack-cors/blob/master/CHANGELOG and there were
no assigned CVEs (as of early 2017) for the vulnerable versions of the
gem. According to rubygems.org, there are at least 7,614,856 downloads
for versions < 0.4.1 of the gem.

The researcher, Jens, reports there are a number of top Alexa sites
that have vulnerable CORS configurations. He tells us many of these
sites are using the rack-cors gem. He has been scanning the web at
large and has published a tool at https://github.com/RUB-NDS/CORStest
to check for vulnerable CORS configurations.

Affected sites are those that are running rack-cors < 0.4.1 and are
specifying
origin domains as string parameters:

use Rack::Cors do
allow do
origins 'example.com', ...
...
end

We have been in contact with Jens and suggested filing a CVE for
vulnerable versions of the gem. He said he does not have the time to
fill out the paperwork, so we are publishing this for him. All credits
to Jens for discovery of the vulnerability.

------------------------------------------

[VulnerabilityType Other]
Incorrect Access Control

------------------------------------------

[Affected Product Code Base]
rack-cors gem - Affected: 0.4.0 and below, Fixed: 0.4.1

------------------------------------------

[Affected Component]
https://github.com/cyu/rack-cors/blob/v0.4.0/lib/rack/cors.rb#L256

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[CVE Impact Other]
Incorrect handling of origin configuration results in CORS request
authorization for malicious third-party sites/domains

------------------------------------------

[Attack Vectors]
A malicious actor may perform actions on behalf of a logged-in user
for example.com by convincing the logged-in user to visit
example.com.example.net or example.com-example.net. This
may be disguised via phishing with URL shortener services. E.g. "A
politician does something crazy again! Read about it here:
http://t.co/xyz" -> expands to example.com.example.net,
performs CORS requests to example.com, and then redirects to the
original article.

------------------------------------------

[Discoverer]
Jens Mueller <jens.a.mueller@rub.de>


Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close