Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP server implementation is vulnerable to DNS rebinding attacks #3288

Closed
dzsibi opened this issue Oct 27, 2020 · 1 comment · Fixed by #3212
Closed

HTTP server implementation is vulnerable to DNS rebinding attacks #3288

dzsibi opened this issue Oct 27, 2020 · 1 comment · Fixed by #3212
Labels
PR: Security Applied to pull requests that address security-related issues or vulnerabilities. Type: Bug Issues related to software defects or unexpected behavior, which require resolution.
Milestone
3.5

Comments

@dzsibi
Copy link
Contributor

dzsibi commented Oct 27, 2020

OpenRefine has endpoints with intentional remote code execution without authentication (like running Python or Clojure transformations). While the lack of authentication would not be an issue with normal desktop use when OpenRefine is bound to a loopback interface like 127.0.0.1, the current implementation still exposes users to Remote Code Execution via DNS rebinding attacks.

To Reproduce

I did not prepare a full Proof of Concept exploit, but the general steps would be:

  • Run OpenRefine
  • Visit rebindable.com, which loads a malicious script in the browser
  • Attacker rebinds rebindable.com to 127.0.0.1
  • Malicious script calls OpenRefine endpoints as if they were under rebindable.com

Current Results

The calls will succeed and an attacker can use them to run arbitrary code on the user's computer. This works because after the domain has been rebound, the script can now call OpenRefine endpoints as if they were same-origin.

Expected Behavior

The calls should be rejected.

Additional context

I have sent a pull request (#3212) to address this problem by validating the Host header. See implementation details in the thread associated with the PR. This issue was opened at the request of @tfmorris.
@dzsibi dzsibi added Type: Bug Issues related to software defects or unexpected behavior, which require resolution. Status: Pending Review Indicates that the issue or pull request is awaiting review by project maintainers or collaborators labels Oct 27, 2020
@tfmorris tfmorris added PR: Security Applied to pull requests that address security-related issues or vulnerabilities. and removed Status: Pending Review Indicates that the issue or pull request is awaiting review by project maintainers or collaborators labels Nov 3, 2020
@tfmorris
Copy link
Member

tfmorris commented Nov 3, 2020

Thanks for creating the issue so that we can track this.

@tfmorris tfmorris mentioned this issue Nov 3, 2020
Merged
@wetneb wetneb added this to the 3.5 milestone Mar 22, 2021
@wetneb wetneb mentioned this issue Apr 24, 2021
Merged
16 tasks
wetneb added a commit to wetneb/OpenRefine that referenced this issue Apr 24, 2021
@wetneb
Document -H, /H CLI options (OpenRefine#3288)
84f54eb
wetneb added a commit that referenced this issue May 8, 2021
@wetneb
Documentation versioning (#3847)
7961c90 
* Take snapshot of docs for version 3.4

* Versioning for docs of the cross function, for #2504

* Document 'Store archive file' option (#1963)

* Remove unsupported preference from 3.4 docs (#2624)

* Mention that forEach works on JSON objects (#3149)

* Remove wholeText from 3.4 docs (#3180)

* Document -H, /H CLI options (#3288)

* Migrate Wikibase documentation from Wikidata (#1640)

* Miscellanous, copy-editing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
PR: Security Applied to pull requests that address security-related issues or vulnerabilities. Type: Bug Issues related to software defects or unexpected behavior, which require resolution.
Projects
None yet
Milestone
3.5
Development

Successfully merging a pull request may close this issue.

Validate Host header of incoming HTTP requests dzsibi/OpenRefine
3 participants
@tfmorris @wetneb @dzsibi