You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The client's Origin header is reflected in the Access-Control-Allow-Origin header from the server, granting any domain access to CORS resources behind the admin dashboard. There should be a white-list in the configuration that lists allowed Origin headers.
The issue is made worse with "Access-Control-Allow-Credentials: true". Now that any domain can access the endpoints, they also can also authenticate as another user. This can be done by sending a crafted link to a user who is logged in (presumably, unless session token is persistent) - once clicked, the script would send a CORS request to sensitive endpoints and the browser would send along their cookies since "Access-Control-Allow-Credentials: true" is set.
kitsune-application-development-kit/KAdmin/Utils/AllowCorsFilter.cs
Lines 12 to 20 in 811be8f
This vulnerability affects the admin dashboard.
The client's Origin header is reflected in the Access-Control-Allow-Origin header from the server, granting any domain access to CORS resources behind the admin dashboard. There should be a white-list in the configuration that lists allowed Origin headers.
The issue is made worse with "Access-Control-Allow-Credentials: true". Now that any domain can access the endpoints, they also can also authenticate as another user. This can be done by sending a crafted link to a user who is logged in (presumably, unless session token is persistent) - once clicked, the script would send a CORS request to sensitive endpoints and the browser would send along their cookies since "Access-Control-Allow-Credentials: true" is set.
More info on vulnerability - https://portswigger.net/web-security/cors#server-generated-acao-header-from-client-specified-origin-header
The text was updated successfully, but these errors were encountered: