Secret Location header can be modified by modifying request Host header
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Fix Released
|
Medium
|
Steve Heyman |
Bug Description
It appears that modifying the "Host" header changes the "Location" header returned on successful secret creation. This does not modify the actual stored secret_ref, as shown below.
POST /v1/secrets HTTP/1.1
Content-Length: 246
Accept-Encoding: gzip, deflate
X-Project-Id: 3793662244d04d2
Connection: keep-alive
Accept: */*
User-Agent: python-
Host: google.com
X-Auth-Token: [VALID TOKEN]
Content-Type: application/json
{"name": "AES key", "algorithm": "aes", "payload_
HTTP/1.1 201 Created
Location: http://
Content-Length: 87
Content-Type: application/json; charset=UTF-8
Connection: close
{"secret_ref": "http://
GET /v1/secrets/
Content-Length: 0
Accept-Encoding: gzip, deflate
X-Project-Id: 3793662244d04d2
Accept: */*
User-Agent: python-
Connection: keep-alive
X-Auth-Token: [VALID TOKEN]
HTTP/1.1 200 OK
Content-Length: 364
Content-Type: application/json; charset=UTF-8
Connection: close
{"status": "ACTIVE", "secret_ref": "http://
=== Impact: ===
Could allow an attacker to maliciously redirect the user to a site that the attacker controls. This would have to be a second-order attack, e.g. it would have to cause a problem with some consumer of Barbican; it doesn't really create a vulnerability in Barbican itself.
=== Systems Vulnerable: ===
Local environment
=== Suggested Mitigation: ===
The fix would likely be simply using the same secret_ref in the Location header, rather than constructing it off of the "Host" header.
=== Further References: ===
No references given
Changed in barbican: | |
assignee: | nobody → Steve Heyman (sheyman) |
milestone: | none → kilo-3 |
Changed in barbican: | |
status: | Fix Committed → Fix Released |
Changed in barbican: | |
milestone: | kilo-3 → 2015.1.0 |
the location header is updated by webob - see https:/ /github. com/Pylons/ webob/blob/ master/ webob/response. py#L1027