Vulnerabilities found in the web interface - gaming09 - 2023-06-23
*Please delete if this is not helpful or wanted here*
Not sure if this is the right place, but running scans on my 2 instances i have found the following that cant be remediated via firewall/proxy. CVE considered 2 Medium and 1 low
I don't know if this is helpful or not but wanted to share. obfuscated ip's/hostnames
Code: No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to
perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack
is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS,
CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused
deputy, and sea surf.
CSRF attacks are effective in a number of situations, including:
* The victim has an active session on the target site.
* The victim is authenticated via HTTP auth on the target site.
* The victim is on the same local network as the target site.
CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose
information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS
can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
URL https://mydomain.com/web/main.jellyfin.bundle.js?b9cc95fa72a6b09d7348
Method GET
Parameter
Attack
Evidence <form style="margin:auto;">
URL https://mydomain.com/web/main.jellyfin.bundle.js?b9cc95fa72a6b09d7348
Method GET
Parameter
Attack
Evidence <form class="popupIdentifyForm" style="margin:auto">
URL https://mydomain.com/web/main.jellyfin.bundle.js?b9cc95fa72a6b09d7348
Method GET
Parameter
Attack
Evidence <form class="identifyOptionsForm hide" style="margin:auto">
URL https://mydomain.com/web/session-forgotPassword-index-html.83b7639c1ba4763bb4cb.chunk.js
Method GET
Parameter
Attack
Evidence <form class="forgotPasswordForm" style="text-align:center;margin:0 auto">
URL https://mydomain.com/web/session-login-index-html.384c1886b01202a35d87.chunk.js
Method GET
Parameter
Attack
Evidence <form class="manualLoginForm margin-auto-x hide">
Instances 5
Solution Phase: Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, use anti-CSRF packages such as the OWASP CSRFGuard.
Phase: Implementation
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
Phase: Architecture and Design
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable
(CWE-330).
Note that this can be bypassed using XSS.
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended
to perform that operation.
Note that this can be bypassed using XSS.
Use the ESAPI Session Management control.
This control includes a component for CSRF.
Do not use the GET method for any request that triggers a state change.
Code: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data
injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP
headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript,
CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files
Code: Low Private IP Disclosure
Description A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response
body. This information might be helpful for further attacks targeting internal systems.
URL https://mydomain.com/System/Info/Public
Method GET
Parameter
Attack
Evidence 192.168.x.x
URL https://mydomain.com/web/3302.970459b51af8c20971f1.chunk.js
Method GET
Parameter
Attack
Evidence 192.168.x.x:8096
URL https://mydomain.com/web/main.jellyfin.bundle.js?b9cc95fa72a6b09d7348
Method GET
Parameter
Attack
Evidence 192.168.x.x
Instances 3
Solution Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be
seen by client browsers.
RE: Vulnerabilities found in the web interface - thornbill - 2023-06-23
My initial thoughts are:
- CSRF tokens would be good to add, but probably a lower priority than some of the other known issues atm. (This will require a coordinated effort between server and web.)
- Our reverse proxy documentation does cover adding CSP headers, and we are somewhat limited with what we can add to avoid breaking apps that bundle or wrap the web interface, but we could probably ship some less strict defaults. (This would largely fall on the server side to implement.) There are a couple existing issues and feature requests that are tracking this.
- This one looks like a false positive. It seemed to pickup some of our help text for adding server urls as hardcoded IP addresses. We've seen similar false reports for version number checks that use four digits (i.e. 3.4.1.2).
RE: Vulnerabilities found in the web interface - gaming09 - 2023-06-23
(2023-06-23, 07:32 PM)thornbill Wrote: My initial thoughts are:
- CSRF tokens would be good to add, but probably a lower priority than some of the other known issues atm. (This will require a coordinated effort between server and web.)
- Our reverse proxy documentation does cover adding CSP headers, and we are somewhat limited with what we can add to avoid breaking apps that bundle or wrap the web interface, but we could probably ship some less strict defaults. (This would largely fall on the server side to implement.) There are a couple existing issues and feature requests that are tracking this.
- This one looks like a false positive. It seemed to pickup some of our help text for adding server urls as hardcoded IP addresses. We've seen similar false reports for version number checks that use four digits (i.e. 3.4.1.2).
awesome thank you for the reply
|