CRLF injection in Buildbot login and logout redirect code
Pages 11
Clone this wiki locally
CVE ID
Type
- CRLF injection
- Cross domain cookie injection
Schedule
- Reported: 29 Jan 2019
- Fix merged into master: 01 feb 2019
- Fix in a release: 02 feb 2019
Description
A CRLF can be injected in Location header of /auth/login and /auth/logout
curl -v https://buildbot.example.com/auth/logout?redirect=/%0d%0aSet-Cookie:%20TEST=TEST
In the server reply you should see: set-cookie: TEST=TEST
This is due to lack of input validation in the buildbot redirection code.
Impact analysis
It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot.
-
cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain)
-
HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit.
Versions vulnerable
Buildbot 0.9.0 to 1.8.0 (included)
Fixed versions
Buildbot 2.0.0 and 1.8.1
Mitigations and patches
If Buildbot is hosted behind a reverse proxy, one could use request rewriting in order to filter out %0d and %0a from requests urls. For NGINX server, add this at the top of your server block:
if ( $request_uri ~* "%0A|%0D" ) { return 404; }
Patch can be applied:
https://github.com/buildbot/buildbot/pull/4584/files#diff-a2e7e3ee5f6a1d3cd9c6abf0328c21e0
Or install version 2.0.0 or 1.8.1