-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mitmweb isn't protected against DNS rebinding #3234
Comments
Thanks for raising this. Any recommendations on how we can fix this best? |
I like the Jupyter implementation - effectively password protect the web interface, but pass an access token to your |
CVE-2018-14505 has been assigned to this issue |
Thanks again - we've just released mitmproxy 4.0.4, which includes the fix from #3243. :) |
To bypass this security fix mitmproxy/mitmproxy#3234
@mhils Is it possible to turn it off and allow DNS rebinding? |
Would also like to know if this can be disabled - my instance is behind a reverse proxy so I am presuming this is safe enough for what I need it for, and accessing it externally would be helpful. |
Yes would love for this to be configurable. |
As @Kriechi merged #3243 into the master. Whats the problem having by default DnsBinding protection enabled, In our case, for internal usage purposes, we need to fork this repo and revert mentioned PR in order to fulfill our needs. IMHO, thats not the best way to do that. |
What the actual ...... ..... A day spent trying to figure out why a docker swarm Traefik router for |
@chrisbecke regarding traefik you need to disable passHostHeader see below example using compose - hope it helps you too :)
|
@hoogi91, thanks for the tip. |
@chrisbecke ah sry, forgot to mention them too, you also need to add a middleware that drops some request headers to make the websocket work:
|
Workaround for nginx-proxy-manager for the webinterface.
|
It is work for kubernetes traefik ingressRoute:
|
Here's what I eventually got working on haproxy for a mitmproxy home assistant addon (Docker container).
In my case, haproxy is listening on The |
A further potentially helpful snippet for users of Kubernetes' Nginx controller:
|
For anyone using Caddy as their reverse proxy:
example docker-compose.yml
|
The mitmweb interface does not seem to include protection against DNS rebinding. This could be exploited by a malicious website to either access the sniffed data or run arbitrary Python scripts on the filesystem by setting the
scripts
config option.I have hacked together a PoC here (nothing really special to be seen though).
The text was updated successfully, but these errors were encountered: