New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP fallback via "/plain" allows opportunity for DNS rebinding attack #355
Comments
|
Thank you and Stephen for the report I am not sure how severe this threat is, but this must be fixed anyway... More info: |
* Disabled all methods of HTTP fallback when HTTPS is enabled. This is enforced on server side so that even modified client code (JS) can not redirect client from HTTPS to HTTP, like it was possible before (issue #355). * Current solution unfortunately also disables automatic upgrade from HTTP to HTTPS (when available), since all non-SSL connections are droped immediately.
|
@abarisani I pushed the patch to master. By my tests it should work as expected, but it would be great if you and your team can confirm that issue is really resolved. Thanks again for the report. |
|
I confirm that this resolves the issue. Thanks! |
|
Thanks for confirmation. Since the issue is resolved, I think it would be the best to release new packages. /cc @beewoolie, @scaronni, @monsieurp |
|
Roger. On 12/4/15 8:54 AM, Luka Krajger wrote:
|
|
I'm going to let the Gentoo Security folks know. Thanks a lot for your work. |
|
Great I just added two more commits, and after @beewoolie updates debian/changelog we can create a tag for version 2.19 here on Github. Other distros can create new package from that tag ;) |
|
Pushed. On 12/4/15 8:54 AM, Luka Krajger wrote:
|
|
@beewoolie thanks for your work |
|
Right back at ya. On 12/5/15 10:57 AM, Luka Krajger wrote:
|
The shellinabox server, while using the HTTPS protocol, allows HTTP fallback through the "/plain" URL.
This exposes the opportunity for a potential DNS rebinding attack, by malicious JavaScript loaded in the context of the user browser, that would allow connection to shellinabox in the time window between server startup and user reconfiguration of default credentials (scenario is vanilla installation of, as an example, an embedded system).
The "/plain" fallback should be disabled by default to improve security and mitigate such an attack.
Credit goes to Stephen Röttger from the Google Security Team for identifying the issue.
The text was updated successfully, but these errors were encountered: