New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability with proxy view and csrf/sessionid cookie #1308

Closed
mbertrand opened this Issue Dec 13, 2013 · 3 comments

Comments

Projects
None yet
3 participants
@mbertrand
Member

mbertrand commented Dec 13, 2013

Passing this on from Adam Ziaja - the proxy view sends the csrf/sessionid cookie values to the destination URL, from where they could be collected to spoof a login. Proxy could also be used to access localhost:

Hi, cookies should have httponly and secure flags, because else without
httponly can be used/stolen with for example XSS attack
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 also secure
flag is for go only over HTTPS, because in HTTP can be easy stolen with
sniffing (because are not encrypted).

This proxy is very unsecure, this example with postfix show how I do local
connection inside your Ubuntu server so I can use your IP and for example
you will have some folder with allow access only for server IP or just only
for localhost and then I can see it. Also example with my website show how
can I stole your session and log as you, also send some GET/POST as you
because I have your csrftoken and session cookies - I am for clients
(browsers and people) like part of your website. Your browser give access
to your web cookie to my server because think that my web is still Harvard
website - this is because your application work as proxy server and allow
me connect as Harvard server, so bad people can for example hacking other
server(s) over your proxy and will be your IP.

Also can do fake form, for example login form or run some javascript etc -
because this allow do XSS also
https://www.owasp.org/index.php/Open_redirectand probably few other
but I had never such a case, but this allows for a lot of abuses and so many of
them are very high risk .

Look in attach file, now you belive ? I am login as admin on your beta
web (admin email is bobby@bob.com), you give me this cookies but I was also
able to save it same as I show it on my website - but my web show only
headers and don't save it because I don't use my web to abuse but to debug
such problems . I am also with this proxy able to do some "auto owned" so
some automatic hacking machine like send link to people and when they are
login on your web and click my link then delete and change all etc - like
change password and contact e-mail.

welcome - geonode demo server 2013-12-13 08-15-26

@adamziaja

This comment has been minimized.

adamziaja commented Dec 13, 2013

I wrote it late at night so sorry for my english language skills ;).

PoC URLs:
http://worldmap.harvard.edu/proxy/?url=https://localhost:25
http://beta.dev.geonode.org/proxy/?url=http://www.ipchicken.com
http://beta.dev.geonode.org/proxy/?url=http://adamziaja.com/projects/webtools/headers.php (after login on website you will see there cookies: sessionid and csrftoken)

@garnertb

This comment has been minimized.

Member

garnertb commented Dec 13, 2013

In the future, we should use a less-public channel for filing security-related issues like this.

@adamziaja

This comment has been minimized.

adamziaja commented Dec 13, 2013

I agree, maybe better will be hide this thread?

@garnertb garnertb closed this in 26c157e Dec 20, 2013

ingenieroariel added a commit that referenced this issue Dec 20, 2013

Merge pull request #1315 from garnertb/proxy
Improve security for the proxy view.  Fixes #1308.

ingenieroariel added a commit that referenced this issue Jan 1, 2014

Added Adam Ziaja to Contributors
He found a vulnerability in GeoNode's proxy view: #1308

capooti pushed a commit to capooti/geonode that referenced this issue Sep 24, 2014

Improve security for the proxy view. Fixes GeoNode#1308.
* In production, the proxy will only respond to hosts  listed in the settings.PROXY_ALLOWED_HOSTS tuple and the OGC_SERVER hostname.

* Remove the pass through authentication headers.  Pass through authentication headers were getting added to requests outside of their respective realm.

* Add a PROXY_URL setting so administrators can use proxies other than the GeoNode.

* Only forward session cookies to the OWS url since commit ef1cf1 states that session cookies can influence local OWS GetCapabilities requests.

capooti pushed a commit to capooti/geonode that referenced this issue Sep 24, 2014

Merge pull request GeoNode#1315 from garnertb/proxy
Improve security for the proxy view.  Fixes GeoNode#1308.

capooti pushed a commit to capooti/geonode that referenced this issue Sep 24, 2014

Added Adam Ziaja to Contributors
He found a vulnerability in GeoNode's proxy view: GeoNode#1308

allyoucanmap pushed a commit to allyoucanmap/geonode that referenced this issue Apr 3, 2017

Fix GeoNode#1308. Fixed vector data export in leaflet (GeoNode#1309)
- uses canvg lib to get the svg and draw it on the map.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment