Comment 24 for bug 1409142
Revision history for this message
| Paul McMillan (paul-mcmillan) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | #24 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
(first a nickpick, this is CSRF or CSWF, definitely not XSS mentioned in the comment in the patch)
The patch improves things, but it doesn't completely solve the problem.
I'm sorry to bring these things up, since they're not going to be trivial to patch.
We need to verify that the url scheme (https or http) in the origin matches the expected scheme. Otherwise, a mitm can spoof an unencrypted page on the same domain, obtain an origin header with the same domain, and conduct the attack against an HTTPS cloud.
We need to maintain a whitelist of expected source domains, and compare against that rather than comparing against the host header. Without this, the current implementation is vulnerable to DNS rebinding.