evilaliv3
commented
6 years ago After having discussed with the team Subgraph about the reasons for an unauthenticated exception handler the following has been identified as valid remediation to add a simple text on top of the message sent via email to administrators when an exception is notified.
The exception notification should contain a trailer message that clarify that the exception content may contain malicious content or content specifically forged for phishing reasons and suggest to consider that content as possibly malicious.
This to keep track of the remediation suggested by team subgraph in relation to a possible Phishing Vulnerability on the Exception API as part of their recent security audit: https://github.com/globaleaks/GlobaLeaks/wiki/Security-Audit-5:-Team-Subgraph
Discussion The application allows unauthenticated access to the exception REST API endpoint. This API will send exception emails to the users configured to receive notifications. The exception emails are generated based on information supplied to the API by the user. This lets users inject potentially misleading or malicious content into exception emails. The handler for the exception API allows unauthenticated access by default (the check_roles direc- tive is set to a wildcard value).
Impact Analysis This issue can be exploited to launch phishing attacks against users configured to receive exception notification emails. As they will appear to come from the application, and may even be encrypted if encrypted notifications are configured, the target of the phishing attack may trust the email contents. The emails will still include exception information so in all likelihood an attacker would exploit this to trick a user into visiting a malicious link or provide misleading information about the state of the application. The errorUrl field of the exception request allows unformatted input to be injected in the notification emails.
Remediation Recommendations Our understanding of this API is that it is meant to capture client-side exceptions. Therefore, it may be by-design that exceptions generated by unauthenticated users are captured. This makes the issue trickier to address. A compromise may be to only enable unauthenticated exceptions to be generated in development mode and to require authentication in production mode. GlobaLeaks could also try to filter or structure the exception information in such a way that it cannot be easily manipulated by the user. This may also be challenging to implement. Another option is to advise the recipient of the exception email that the report may contain untrusted information delivered from the client.