Browser back and refresh button attack vulnerability

Bug #1770561 reported by Kristina Hoeppner on 2018-05-11
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
High
Unassigned
17.04
High
Unassigned
17.10
High
Unassigned
18.04
High
Unassigned
18.10
High
Unassigned

Bug Description

About the vulnerability:

The back, forward and refresh buttons of the browser can be used to steal the password of a previous user. In this article we examine the vulnerability and look at ways to solve them.A web browser has the functionality to store the recent pages browsed by the user in its history. The back and forward buttons on the browser make use of this history to display the pages that the user visited recently. The browser also keeps track of the variables that were sent as part of the request to the server for each page. The refresh feature of the browser automates posting of the variables to the server thereby greatly improving the user experience while browsing.These features enhance the user experience but at the same time they expose a high risk vulnerability. This happens due to the application being insecurely designed. Attackers exploit these functionalities of the browser to obtain access to user credentials. Let’s see how this works and the solutions to overcome this problem.

Steps to reproduce: (Attached is the live POC)
- Go to login page of the application and provide the credentials
- Log yourself out from the application
- Pressed the back button, it came to login page.
- which asked me to resubmit the details.
- Credentials got captured in Burpsuite.

How to Fix (Solution that we are looking into):

use an intermediate page between the login page and the first page displayed after authentication (myhome.asp in this case). This intermediate page should be used to redirect the user via an “HTTP Redirect command” to myhome.asp after successful login. In such a scenario, the login request is redirected immediately by the intermediate page.

Reported by Shekhar Suman
http://iosec.in

CVE References

We'll need to ensure that the solution that we implement also works with Mahara Mobile. If the change requires changes on Mahara Mobile, then we would need to have two parallel solutions for Mobile as not everybody will be updating the the latest security release and it is out of the hands of the people downloading the app.

For the security announcement (double-check that the version numbers are still correct:

Prevent a back and refresh attack through the web browser

Impact: Information disclosure

Description:
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" attack. This allows malicious users with physical access to the web browser of a Mahara user, after they have logged in, to potentially gain access to their Mahara credentials.

Reported by Shekhar Suman
Bug report: https://bugs.launchpad.net/mahara/+bug/1770561
CVE reference: CVE-2018-11195 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11195

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers