search

fjykTec / ModernWMS

The open source simple and complete warehouse management system is derived from our many years of experience in implementing erp projects. We stripped the original commercial system wms function and opened it up for free, hoping to help the majority of small and medium-sized enterprises. At present, the system supports cross-platform。
https://modernwms.ikeyly.com/
Apache License 2.0
864 stars 270 forks source link

Vulnerability : Server-Generated ACAO Header From Client-Specified Origin header #29

Open sgwgsw opened 10 months ago

sgwgsw commented 10 months ago

https://github.com/fjykTec/ModernWMS/blob/62e17273fc96095e9e2210b73e5f1de7a37b9260/backend/ModernWMS.Core/Middleware/CorsMiddleware.cs#L38-L51

The client's Origin header is reflected in the Access-Control-Allow-Origin header from the server, granting any domain access to CORS resources. There should be a white-list in the configuration that lists allowed Origin headers.

The issue is made worse with "Access-Control-Allow-Credentials: true". Now that any domain can access the endpoints, they also can also authenticate as another user. This can be done by sending a crafted link to a user who is logged in (presumably, unless session token is persistent) - once clicked, the script would send a CORS request to sensitive endpoints and the browser would send along their cookies since "Access-Control-Allow-Credentials: true" is set.

More info on vulnerability - https://portswigger.net/web-security/cors#server-generated-acao-header-from-client-specified-origin-header

JawerZ commented 6 months ago

The situations you mentioned exist, but users need to limit them according to their actual needs