关联漏洞
标题:
Flask 安全漏洞
(CVE-2023-30861)
描述:Pallets Project Flask是Pallets项目的一款轻量级的WSGI(Web服务器网关接口)应用程序框架。 Flask存在安全漏洞,该漏洞源于用于一个客户端的数据响应可能会被缓存并随后由代理发送给其他客户端。
描述
Explaining how to exploit CVE-2023-30861
介绍
# Intro
This bug happens because Flask doesn't tell the caching server (proxy) to be careful with sensitive information like cookies.
To use this attack you have to check your checklist
- **User** must use a proxy and accesses the flask webapp
- **Proxy** must be caching proxy (caching server).
- **Flask** version of the targeted flask website that user uses must be before `2.2.5`
- **Attacker** must have access to the caching proxy of the proxy that **User** uses
**Why the proxy?**
A caching proxy is like a helper that stores copies of web pages to make them load faster when you visit them again.
- Chat-GPT
Using this type of proxies to access any website runs on `Flask < 2.2.5` makes the proxy server stores your cockies for fast load, because the proxy doesn't know it's a sensitve data, because `Flask` didn't tell the proxy server it's a sensitve data.
**The imapct of this attack**
This attack could allow the attacker to steal sensitive information like user session cookies.
# PoC
First I want you to host this code to anywhere you like:
```python
from flask import Flask, session
app = Flask(__name__)
app.config['SESSION_PERMANENT'] = True
#app.config['SESSION_REFRESH_EACH_REQUEST'] = True
@app.route('/')
def index():
session['user_id'] = 1
return 'CVE-2023-30861!'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
```
This code is a simple `Flask` website, remember the version must be `< 2.2.5`.
Now access this website with via caching proxy that you have access to and wait for another user to access same website with the same proxy.
after that you will get that user session from cache.
# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.
<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
文件快照
[4.0K] /data/pocs/be53b9b0935ca53cf326044817cd027a3e1cfdb9
└── [2.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。