Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49438 PoC — Flask Middleware Flask-security 安全漏洞

Source
https://github.com/brandon-t-elliott/CVE-2023-49438
Associated Vulnerability
Title:Flask Middleware Flask-security 安全漏洞 (CVE-2023-49438)
Description:Flask Middleware Flask-security是Flask Middleware组织的一个基于Python的可为Flask应用提供安全功能的代码库。 Flask Middleware Flask-security Flask-Security-Too 5.3.2及之前版本存在安全漏洞,该漏洞源于允许攻击者通过滥用 /login 和 /register 上的 next 参数,将用户重定向到恶意站点。
Description
CVE-2023-49438 - Open Redirect Vulnerability in Flask-Security-Too
Readme
# CVE-2023-49438

## Proof of Concept

![flask-security-too-open-redirect](https://github.com/brandon-t-elliott/CVE-2023-49438/assets/126433368/e0f0383b-bc74-43fb-a5e0-de5901a447fd)

## Description

An open redirect vulnerability in the python package [Flask-Security-Too](https://github.com/Flask-Middleware/flask-security/) <=version 5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

## Background

Flask-Security-Too contains logic to validate that the URL specified within the next parameter is either relative or has the same network location as the requesting URL. This is in place in an attempt to prevent open redirections.

The Flask-Security-Too python package was [previously found to be vulnerable](https://www.cve.org/CVERecord?id=CVE-2021-32618) to a bypass of the validation logic in place, and version 4.1.0 patched the previously known examples such as `https://example/login?next=\\\github.com`

However, a workaround has been discovered due to how web browsers normalize slashes in URLs, which makes the package vulnerable through version <=5.3.2.

## Examples

`https://example/login?next=/\github.com`

`https://example/login?next=\/github.com`

## Impact

It was previously noted in [CVE-2021-32618](https://www.cve.org/CVERecord?id=CVE-2021-32618) that "if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute."

**However**, with Werkzeug >=2.1.0 the autocorrect_location_header configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.

## Mitigations

1. Update to Flask-Security-Too 5.3.3

```
pip install -U Flask-Security-Too
```

OR

2. Add these configuration options to your app (mitigates all *currently known* examples):
```
app.config['SECURITY_REDIRECT_VALIDATE_MODE'] = "regex"
app.config['SECURITY_REDIRECT_VALIDATE_RE'] = r"^/{4,}|\\{3,}|[\s\000-\037][/\\]{2,}(?![/\\])|[/\\]([^/\\]|/[^/\\])*[/\\].*"
```

OR

3. If Werkzeug >=2.1.0 is used, manually ensure autocorrect_location_header is set to True:
```
@app.after_request
def fix_location_header(response):
    response.autocorrect_location_header = True

    return response
```

## CVE Reference

[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49438](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49438)

[https://nvd.nist.gov/vuln/detail/CVE-2023-49438](https://nvd.nist.gov/vuln/detail/CVE-2023-49438)

## Credit

Workaround discovered by [Brandon T. Elliott](https://www.linkedin.com/in/brandon-t-elliott/), November 2023
File Snapshot

 [4.0K]  /data/pocs/5b825fbf0676b9bb772d12c0c24f4cdc832cce5c
└── [2.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.