-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Misconfigured CORS allows a malicious user to fetch api keys #22
Comments
I don't understand the issue. |
Although, I agree it might not be desirable in some (most?) cases. At very least it should be configurable. |
The Access-Control-Allow-Origin headers will accept any origin as its inserting the allowed value from the origin header. Meaning that If you as a valid concord user visit my "malicious" page. I can view any XHR response in my sites logs/context (bypassing same origin policy). Important to note it works for ANY of the api calls so host information, nodes, api metadata, references to usernames etc. e.g. Origin: https://evil.hacker.com responds with Access-Control-Allow-Origin: https://evil.hacker.com Reference to better explain: https://medium.com/bugbountywriteup/stealing-user-details-by-exploiting-cors-c5ee86ebe7fb CORS ACAO header shouldn't allow any requesting origin to view the responses. |
Yeah, I understand how Thanks! |
Sorry didn't mean to suggest you didn't! Thanks for being patient with my description. If the bug qualifies for a CVE reference please me know. |
I honestly don't know if it's qualifies for a CVE, but I guess it wouldn't hurt. :-) Here's the commit that makes |
Yeah I think once the server does not blindly insert the Origin: value into the Access-Control-Allow header its fine. Should just be a regex to check its concord requesting it. Thanks alot. |
@fitzpr we good with closing this issue then? |
Yeah its more a config issue that a coding change. Thanks for responding. |
Just a security issue I noticed where the accepted origins on CORS appear to be vulnerable.
If an authenticated user visits a page such as the following, the VICTIMSKEY is alerted. This could also be sent to an attacker.
The text was updated successfully, but these errors were encountered: