OverlyPermissiveCORS-Multiple.md

CVE-2025-1083 - Overly Permissive CORS Vulnerability in Mindskip xzs-mysql 3.9.0

Description:

Mindskip xzs-mysql 3.9.0 has an overly permissive Cross-Origin Resource Sharing (CORS) configuration, allowing unauthorized cross-origin requests. This misconfiguration enables attackers to exploit a victim's authenticated session to access sensitive data or perform unauthorized actions by making requests from malicious origins.

Affected Component:

• Multiple endpoints, including but not limited to:
  • /api/user/login
• Application Version: 3.9.0

Type of Vulnerability:

• CWE-942: Permissive Cross-domain Policy with Untrusted Domains
• CWE-346: Origin Validation Error

Impact:

• Sensitive Data Exposure: Attackers can access sensitive user data by exploiting the victim's session.
• Unauthorized Actions: Exploits may include performing unauthorized API calls on behalf of an authenticated user.
• Session Hijacking: If combined with session fixation or cookie theft, attackers can fully impersonate the victim.

Steps to Reproduce / PoC:

1. Send Malicious Request With Burp:

   • Modify Origin value to http://evil.com as an example of an arbitrary, potentially attacker controlled domain.

   POST /api/user/login HTTP/1.1
   Host: localhost:8000
   Accept-Encoding: gzip, deflate, br
   Accept: application/json, text/plain, */*
   Accept-Language: en-US;q=0.9,en;q=0.8
   User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
   Connection: close
   Cache-Control: max-age=0
   Origin: http://evil.com
   Referer: http://evil.com
   request-ajax: true
   Content-Type: application/json
   Sec-CH-UA: "Google Chrome";v="132", "Not=A?Brand";v="8", "Chromium";v="132"
   Sec-CH-UA-Platform: "Linux"
   Sec-CH-UA-Mobile: ?0
   Content-Length: 57
   {"userName":"admin","password":"123456","remember":false}
   
   

   • Observe attacker defined Origin reflected under Access-Control-Allow-Origin: http://evil.com and Access-Control-Allow-Credentials: true.

   HTTP/1.1 200 OK
   Expires: 0
   Cache-Control: no-cache, no-store, max-age=0, must-revalidate
   Set-Cookie: JSESSIONID=hw3jMgAbSDxtjeUz3nbcWVlIJkg810XcO03XLZym; path=/
   X-XSS-Protection: 1; mode=block
   Pragma: no-cache
   Date: Sun, 26 Jan 2025 08:58:50 GMT
   Connection: close
   Access-Control-Allow-Origin: http://evil.com
   Vary: Origin
   Vary: Access-Control-Request-Method
   Vary: Access-Control-Request-Headers
   Access-Control-Allow-Credentials: true
   X-Content-Type-Options: nosniff
   Content-Type: application/json;charset=utf-8
   Content-Length: 319
   
   {"code":1,"message":"成功","response":{"id":null,"userUuid":null,"userName":"admin","password":null,"realName":null,"age":null,"sex":null,"birthDay":null,"userLevel":null,"phone":null,"role":null,"status":null,"imagePath":null,"createTime":null,"modifyTime":null,"lastActiveTime":null,"deleted":null,"wxOpenId":null}}
   
   

Root Cause:

The server's CORS configuration improperly allows:

• Access-Control-Allow-Origin dynamically reflects the Origin header from the client request without sufficient validation.
• Access-Control-Allow-Credentials set to true, enabling cookies and authentication headers in cross-origin requests.

Mitigation Recommendations:

1. Restrict Access-Control-Allow-Origin:

   • Use a strict allowlist of trusted origins.
   • Avoid using * or reflecting the Origin header dynamically.

2. Avoid Using Access-Control-Allow-Credentials: true:

   • Only allow credentials for specific trusted origins.
   • Ensure that Access-Control-Allow-Origin does not permit arbitrary origins when credentials are enabled.

References:

• OWASP CORS Vulnerabilities
• MDN CORS Documentation
• CWE-346: Origin Validation Error