chrismccord

chrismccord

Creator of Phoenix

Phoenix 1.3, 1.4, 1.5, and 1.6 security releases for wildcard check_origin vulnerability

Phoenix 1.3.5, 1.4.18, 1.5.14, and 1.6.14 have been released to resolve a vulnerability in wildcard check_origin configurations.

Previously, our documentation points to a wilcard example of:

check_origin: [
  "//*.other.com"
]

Which should allow any subdomain of “other.com”, but our comparison for "//*.other.com" would allow api.any-other.com, which would allow an attacker to register a domain with a custom prefix of a target domain and pass origin checks. These releases ensures the host comparison only matches subdomains or the host itself.

Who is affected?

Only those using a wildcard check origin are affected, and potential exploits are limited allowing unauthenticated channel connections from a bad host. Because LiveView adds its own csrf token to the connection by default, LiveView applications with wildcard check origin would refuse connection under this scenario. Additionally, channel applications utilizing token based authentication would require the attacker to also have a valid token to connect from a bad host. Phoenix channels does not allow access to cookies, so an attacker would also not be able to pass their own cookies from a bad host.

If you are unable to upgrade to a new version, a workaround to mitigate the issue is to use an extra . in your wildcard, such as "//*..other.com"

Thank you to James Van Lommel at Semsee for disclosing this vulnerability and working with us to establish a fix.

–Chris

Most Liked

josevalim

josevalim

Creator of Elixir

If you upgrade, you must not change the pattern to "//*..other.com". Doing so means it would allow foo..other.com but not foo.other.com.

hubertlepicki

hubertlepicki

Hey @chrismccord can you clarify if we have to upgrade and change the pattern to “//*..other.com” or if we upgrade we don’t have to change it?

hubertlepicki

hubertlepicki

Thank you, that’s clear now.

Where Next?

Popular in Phoenix News Top

steffend
LiveView 1.2.0 is out now! Colocated CSS The biggest new feature is support for Colocated CSS, which is built on the work we did in 1.1 ...
New
New
chrismccord
A minor vulnerability has been disclosed for applications redirecting to URLs provided by user input. Only applications passing user inpu...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
chrismccord
The final release of Phoenix 1.7 is out! Most of the new features have been outlined in the 1.7 RC thread, but it has been a few months s...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 31194 112
New
chrismccord
You can read the announcement on the blog, but I’ll dup most of it here for discussion purposes: ––––––––––––––––––––––––––––––––––––––...
451 14130 109
New
chrismccord
Announcement post dup’d here for convenience: Phoenix 1.7.2 is out! This minor release includes a couple features worth talking about. ...
New
josevalim
We were notified by Panagiotis Nezis that certain payloads could take a long time to process when converted to integers. New Erlang/OTP v...
New
chrismccord
I’m pleased to announce the first release candidate of Phoenix 1.6.0 has landed on the heels of a fresh LiveView 0.16 release! This relea...
New

Other popular topics Top

New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New

We're in Beta

About us Mission Statement