1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications
epriestley 5854de8c1c Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:

  - The attacker begins the OAuth workflow and copies the Facebook URL.
  - The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
  - The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
  - The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
  - When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
  - Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
  - The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.

This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.

I'm going to pursue further steps to mitigate this class of attack more thoroughly:

  - Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
  - I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.

Test Plan: Browsed all the affected Phame interfaces.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, arice

Differential Revision: https://secure.phabricator.com/D8481
2014-03-10 16:21:07 -07:00
..
arcanist/conduit Move Conduit methods inside applications 2012-12-21 12:21:59 -08:00
audit Adding author information to AuditListView 2014-03-07 08:40:35 -08:00
auth Automatically verify the setup account's email address 2014-02-27 15:16:04 -08:00
base Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
cache Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk 2014-02-23 16:35:51 -08:00
calendar Make "My Events" default on Calendar 2014-03-05 08:24:45 -08:00
chatlog Various linter fixes. 2014-02-26 12:44:58 -08:00
conduit Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
config Don't actually construct auth providers when checking for their existence 2014-03-04 16:11:28 -08:00
conpherence Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
countdown [Countdown] fix undefined variable errors 2014-02-05 05:33:31 -08:00
daemon Do not perform write in PhabricatorDaemonLogQuery by default 2014-01-21 14:04:12 -08:00
dashboard Add edit/view plumbing for dashboards and panels 2014-02-03 10:52:15 -08:00
differential Minor, fix an issue with StoredCustomFields that serialize, like JIRA 2014-03-08 07:36:04 -08:00
diffusion Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
diviner Include Source Sans on-demand with Celerity 2014-03-06 11:39:48 -08:00
doorkeeper Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
draft/storage Differential - add DifferentialDraft to track whether revisions have draft feedback or not 2014-02-18 16:25:16 -08:00
drydock Various linter fixes. 2014-02-26 12:44:58 -08:00
fact Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
feed Add a note suggesting restarting daemons for feed.http-hooks 2014-03-08 06:37:16 -08:00
files Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
flag Various linter fixes. 2014-02-26 12:44:58 -08:00
harbormaster Truncate logSource in Harbormaster to the database column limit 2014-03-07 17:43:46 -08:00
help/controller Make Differential views capability-sensitive 2013-09-26 18:45:04 -07:00
herald Support Herald rules for new Differential edits 2014-03-05 12:07:13 -08:00
home Hide upload JS stuff if user isn't logged in 2014-02-21 13:04:23 -08:00
legalpad Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
lipsum Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
macro Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
mailinglists Extract textual object list parsing from Differential 2014-03-07 17:44:44 -08:00
maniphest Workboards - add task create + improve task placement wrt priority edits 2014-03-05 18:40:28 -08:00
meta Various linter fixes. 2014-02-26 12:44:58 -08:00
metamta Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
notification Add a "Send Test Notification" button to make testing the server easier 2014-02-17 16:00:33 -08:00
nuance Various linter fixes. 2014-02-26 12:44:58 -08:00
oauthserver Initialize used variable 2013-07-09 21:55:27 -07:00
owners Various linter fixes. 2014-02-26 12:44:58 -08:00
passphrase Passphrase - added "looked at secret" transaction. 2014-02-25 14:58:30 -08:00
paste Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
people Exclude disabled (disapproved) users from count on People application on homepage 2014-03-10 16:20:49 -07:00
phame Don't 302 to an external URI, even after CSRF POST 2014-03-10 16:21:07 -07:00
phid Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
phlux Allow CustomField to provide ApplicationTransaction change details 2014-02-21 11:53:04 -08:00
pholio Let Herald activation depend on which transactions are being applied, and generate transactions 2014-03-05 12:06:59 -08:00
phortune Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
phpast Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
phragment Various linter fixes. 2014-02-26 12:44:58 -08:00
phrequent Various linter fixes. 2014-02-26 12:44:58 -08:00
phriction Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
policy Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
ponder Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
project Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
releeph Use CustomField, not AuxiliaryField, to power RevisionView 2014-02-27 11:06:14 -08:00
remarkup/conduit Support processing Remarkup in bulk with remarkup.processbulk Conduit method 2013-11-02 16:30:11 -07:00
repository Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
search Extract textual object list parsing from Differential 2014-03-07 17:44:44 -08:00
settings There should be no spaces before closing parenthesis in calls. 2014-02-26 12:49:33 -08:00
slowvote Various linter fixes. 2014-02-26 12:44:58 -08:00
subscriptions Various linter fixes. 2014-02-26 12:44:58 -08:00
system Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
tokens Wrap the feed text rendering stuff with htmlspecialchars_decode 2014-02-03 17:05:30 -08:00
transactions Use TransactionEditor in differential.createcomment 2014-03-07 17:44:10 -08:00
typeahead Various linter fixes. 2014-02-26 12:44:58 -08:00
uiexample PHUITimelineView 2014-02-12 09:02:05 -08:00
xhprof Use JSON, not PHP serialization, for XHProf profiles. 2014-02-24 04:16:52 -08:00