Coordinated Disclosure Timeline
- 2024-06-04: Report sent via Private Vulnerability Reporting.
- 2024-06-05: Report is retriaged to an API key leak and fixed. Said report has since been taking down.
- 2024-06-06: DNS rebinding report is resubmitted.
- 2024-06-07: Reporter states that since homepage returns many sources of private information depending on the integrations added, inclusive of location, information about a user’s home, etc, they should be safe be default (implement some sort of Host header verification, automatic certificate setup, or authentication) to prevent DNS rebinding attacks. Maintainers state that they recommend users use SSL and authentication but will not implement it for users.
- 2024-07-26: Maintainer closes report, stating they do not accept it as a valid security vulnerability.
- 2024-08-06: Due to homepage’s large array of supported widgets and high download count, an attacker may be able to extract private information from many homepage instances. CVE-2024-42364 has been assigned in order to help educate homepage users about the dangers of running a homepage instance in its default configuration, without any external authentication or SSL.
Summary
The default setup of homepage is vulnerable to DNS rebinding which may allow an attacker website to read the private information of the homepage owner.
Project
homepage
Tested Version
Details
DNS rebinding vulnerability (GHSL-2024-096)
The default setup of homepage is vulnerable to DNS rebinding. Homepage is setup without certificate and authentication by default, leaving it to vulnerable to DNS rebinding. In this attack, an attacker will ask a user to visit his/her website. The attacker website will then change the DNS records of their domain from their IP address to the internal IP address of the homepage instance. To tell which IP addresses are valid, we can rebind a subdomain to each IP address we want to check, and see if there is a response. Once potential candidates have been found, the attacker can launch the attack by reading the response of the webserver after the IP address has changed. When the attacker domain is fetched, the response will be from the homepage instance, not the attacker website, because the IP address has been changed. Due to a lack of authentication, a user’s private information such as API keys (fixed after first report) and other private information can then be extracted by the attacker website.
Impact
This issue may lead to Information Disclosure. An attacker can leak the information from homepage instances located on the same intranet as the victim.
CVE
- CVE-2024-42364
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-096 in any communication regarding this issue.