Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP fallback via "/plain" allows opportunity for DNS rebinding attack #355

Closed
abarisani opened this issue Dec 2, 2015 · 10 comments
Closed
Labels

Comments

@abarisani
Copy link

The shellinabox server, while using the HTTPS protocol, allows HTTP fallback through the "/plain" URL.

This exposes the opportunity for a potential DNS rebinding attack, by malicious JavaScript loaded in the context of the user browser, that would allow connection to shellinabox in the time window between server startup and user reconfiguration of default credentials (scenario is vanilla installation of, as an example, an embedded system).

The "/plain" fallback should be disabled by default to improve security and mitigate such an attack.

Credit goes to Stephen Röttger from the Google Security Team for identifying the issue.

@KLuka
Copy link
Member

KLuka commented Dec 2, 2015

Thank you and Stephen for the report 👍 I am working on the issue and hope I manage to get some reasonable fix soon.

I am not sure how severe this threat is, but this must be fixed anyway...

More info:

@KLuka KLuka added the bug label Dec 2, 2015
KLuka added a commit that referenced this issue Dec 3, 2015
* Disabled all methods of HTTP fallback when HTTPS is enabled. This
  is enforced on server side so that even modified client code (JS)
  can not redirect client from HTTPS to HTTP, like it was possible
  before (issue #355).
* Current solution unfortunately also disables automatic upgrade from
  HTTP to HTTPS (when available), since all non-SSL connections are
  droped immediately.
@KLuka
Copy link
Member

KLuka commented Dec 3, 2015

@abarisani I pushed the patch to master. By my tests it should work as expected, but it would be great if you and your team can confirm that issue is really resolved.

Thanks again for the report.

@abarisani
Copy link
Author

I confirm that this resolves the issue. Thanks!

@KLuka
Copy link
Member

KLuka commented Dec 4, 2015

Thanks for confirmation. Since the issue is resolved, I think it would be the best to release new packages.

/cc @beewoolie, @scaronni, @monsieurp

@beewoolie
Copy link

Roger.

On 12/4/15 8:54 AM, Luka Krajger wrote:

Thanks for confirmation. Since the issue is resolved, I think it would
be the best to release new packages.

/cc @beewoolie https://github.com/beewoolie, @scaronni
https://github.com/scaronni, @monsieurp https://github.com/monsieurp


Reply to this email directly or view it on GitHub
#355 (comment).

@monsieurp
Copy link

I'm going to let the Gentoo Security folks know. Thanks a lot for your work.

@KLuka
Copy link
Member

KLuka commented Dec 4, 2015

Great 👍

I just added two more commits, and after @beewoolie updates debian/changelog we can create a tag for version 2.19 here on Github. Other distros can create new package from that tag ;)

@beewoolie
Copy link

Pushed.

On 12/4/15 8:54 AM, Luka Krajger wrote:

Thanks for confirmation. Since the issue is resolved, I think it would
be the best to release new packages.

/cc @beewoolie https://github.com/beewoolie, @scaronni
https://github.com/scaronni, @monsieurp https://github.com/monsieurp


Reply to this email directly or view it on GitHub
#355 (comment).

@KLuka
Copy link
Member

KLuka commented Dec 5, 2015

@beewoolie thanks for your work 👍
@monsieurp here is the official tag: https://github.com/shellinabox/shellinabox/releases/tag/v2.19

@beewoolie
Copy link

Right back at ya.

On 12/5/15 10:57 AM, Luka Krajger wrote:

@beewoolie https://github.com/beewoolie thanks for your work 👍
@monsieurp https://github.com/monsieurp here is the official tag:
https://github.com/shellinabox/shellinabox/releases/tag/v2.19


Reply to this email directly or view it on GitHub
#355 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants