Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard
verified publisher icon RocketChat

Overly Permissive Cross Origin Resource Sharing Policy

Open irfanasyraf opened this issue 1 year ago • 2 comments

Description:

The Cross Origin Resource Sharing Policy refers to the domains which are allowed to use resources from the server. The allowed domains are indicated in the "Access-Control-Allow-Origin" HTTP response header. It was observed the server uses a wildcard for Cross-Origin Resource Sharing (CORS). This allows arbitrary domains to inBH-0Steract with the application which would allow an attacker to exploit that trust relationship.

Is there any way we can remove the 'Cross-Origin-Resource-Policy' completely?

Risk Rating: Low CVSS: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C - 2.9 CWE: CWE-942: Overly Permissive Cross-domain Whitelist

Steps to reproduce:

  1. Make any valid request to the following host with an arbitrary domain in the "Origin" header value and observe the server's response.

e.g. curl -v -k "Host: test123.com" https://"rocketchat domain"

Expected behavior:

It is recommended to remove the wildcard from the Cross Origin Resource Sharing policy. Only trusted domains that require access should be allowed and the domains should be stated explicitly. If the headers are not required, it should be disabled.

Actual behavior:

Screenshot 2024-06-28 at 3 40 11 PM

Server Setup Information:

Version of Rocket.Chat Server: v6.9.2 Operating System: Linux Deployment Method: docker (taken from OpenSource Rocketchat Docker) Number of Running Instances: 1 server 1 Database MongoDB Version: 6.0.13

irfanasyraf avatar Jun 28 '24 07:06 irfanasyraf

I imagine this suffers from the same problem that you have here

https://github.com/RocketChat/Rocket.Chat/issues/32695

My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.

I think you need to start with your own webserver.

reetp avatar Jun 29 '24 11:06 reetp

Hi,

We will test with our own web server.

Thank You for the recommendation!

irfanasyraf avatar Jul 04 '24 04:07 irfanasyraf

We will test with our own web server.

Any news please?

reetp avatar Jul 16 '24 13:07 reetp

Hi,

I have set up Apache webserver infront of my application and include the "Header unset Access-Control-Allow-Origin" parameter in the httpd.conf to apply the changes and it works!

Thank you and you may close this case

irfanasyraf avatar Jul 22 '24 06:07 irfanasyraf

This issue has been marked as stale because there has been no further activity in the last 10 days. If the issue remains stale for the next 4 days (a total of 14 days with no activity), then it will be assumed that the question has been resolved and the issue will be automatically closed.

github-actions[bot] avatar Aug 05 '24 12:08 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Aug 19 '24 18:08 github-actions[bot]