Skip to content

CRLF injection in Buildbot login and logout redirect code

Povilas Kanapickas edited this page May 22, 2019 · 10 revisions

CVE ID

Type

  • CRLF injection
  • Cross domain cookie injection

Schedule

  • Reported: 29 Jan 2019
  • Fix merged into master: 01 feb 2019
  • Fix in a release: 02 feb 2019

Description

A CRLF can be injected in Location header of /auth/login and /auth/logout

curl -v https://buildbot.example.com/auth/logout?redirect=/%0d%0aSet-Cookie:%20TEST=TEST

In the server reply you should see: set-cookie: TEST=TEST

This is due to lack of input validation in the buildbot redirection code.

Impact analysis

It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot.

  • cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain)

  • HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit.

Versions vulnerable

Buildbot 0.9.0 to 1.8.0 (included)

Fixed versions

Buildbot 2.0.0 and 1.8.1

Mitigations and patches

If Buildbot is hosted behind a reverse proxy, one could use request rewriting in order to filter out %0d and %0a from requests urls. For NGINX server, add this at the top of your server block:

if ( $request_uri ~* "%0A|%0D" ) { return 404; }

Patch can be applied:

https://github.com/buildbot/buildbot/pull/4584/files#diff-a2e7e3ee5f6a1d3cd9c6abf0328c21e0

Or install version 2.0.0 or 1.8.1

Credits

  • Thanks to mik317 for finding and reporting this vulnerability responsibly.
  • Thanks to mariadb for forwarding us the report.