Closed sveeke closed 5 years ago
The verifier django app (in badgr-server) that is in the version of code under test is the one that uses the python requests library to make this request, and it should not be limited to only certain domains, because it is intended to allow verification of an open badge from any domain. In the current version of badgr-server (and the slightly older version used by SURFnet's POC server), the openbadges python library replaces the verifier django app, but it implements the same behavior. A user may cause badgr-server to make requests to a malicious server, which could do harmful things like intentionally slow down requests to impact performance of the badgr-server. It is unlikely that requesting content from another server in this context would cause any security issues.
The Add Url Option of the Assign Badge functionality does not use a whitelist to restrict from which urls it could load badge images from.
The following request was send to our test host that was listening for an incoming request on port 80
Request:
The request was received by our testserver.
Impact: With the current installed version of the Python request plugin no vulnerabilites are known that could result in exploitation. However allowing all domains to interact would still increase the attack vector.
Recommendation: