jgarber623/indieweb-endpoints.cc

Vulnerabilities

1 via 15 paths

Dependencies

85

Source

GitHub

Commit

c3b26fe9

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Web Cache Poisoning

  • Vulnerable module: rack
  • Introduced through: rack@2.2.3, rack-host-redirect@1.3.0 and others

Detailed paths

  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 rack-host-redirect@1.3.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 rack-test@1.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 shotgun@0.9.2 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra@2.1.0 rack-protection@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-contrib@2.1.0 rack-protection@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-asset-pipeline@2.2.1 sinatra@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-contrib@2.1.0 sinatra@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-param@3.4.0 sinatra@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-asset-pipeline@2.2.1 sprockets@3.7.2 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-asset-pipeline@2.2.1 sinatra@2.1.0 rack-protection@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-contrib@2.1.0 sinatra@2.1.0 rack-protection@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-param@3.4.0 sinatra@2.1.0 rack-protection@2.1.0 rack@2.2.3
  • Introduced through: jgarber623/indieweb-endpoints.cc@jgarber623/indieweb-endpoints.cc#c3b26fe9ef880692a44fc49fc79a12d75ef5db95 sinatra-asset-pipeline@2.2.1 sprockets-helpers@1.4.0 sprockets@3.7.2 rack@2.2.3

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

PoC

GET /?q=legitimate&utm_content=1;q=malicious HTTP/1.1

Host: somesite.com

Upgrade-Insecure-Requests: 1        

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag e/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate            

Accept-Language: en-US,en;q=0.9 Connection: close            

The server sees 3 parameters here: q, utm_content and then q again. On the other hand, the proxy considers this full string: 1;q=malicious as the value of utm_content, which is why the cache key would only contain somesite.com/?q=legitimate.

Remediation

A fix was pushed into the master branch but not yet published.

References