Broken CORS

Module: sails

Published: October 20th, 2016

Reported by: Evan Johnson

CVE-NONE

Vulnerable: <=0.12.7
Patched: >0.12.7

Overview

Sails is an MVC style framework for building realtime web applications.

Version 0.12.6 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when allRoutes is set to true and origin is set to * or left commented out in the sails CORS config file. The problem can be compounded when the cors credentials setting is not provided. At that point authenticated cross domain requests are possible.

Remediation

When using Sails make sure to double check your CORS configuration. using allRoutes: true with origin:'*' will enable the vulnerable behavior, as will failing to uncomment out origin and setting it to a reasonable value. Ensure that if origin is set to * that you truly mean for all other websites to be able to make cross-domain requests to your API.

Likewise, ensure credentials is uncommented out and set to the appropriate value. Make sure to explicitly set which origins may request resources via CORS.

A misconfiguration in a production environment will result in a error message being written to the node process console upon application start in versions 0.12.7 and higher of sails.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo