Lucene search

GitHub Advisory DatabaseGHSA-99F9-GV72-FW9R

HistoryFeb 01, 2024 - 8:53 p.m.

Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2

2024-02-0120:53:08

CWE-436

GitHub Advisory Database

github.com

bref

multiple value headers

apigatewayformatv2

application security

php

security issue

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Impacted Resources

bref/src/Event/Http/HttpResponse.php:61-90

Description

When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.

Precisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.

Impact

If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.

For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one.

PoC

Create a new Bref project.
Create an index.php file with the following content:

&lt;?php
header("Content-Security-Policy: script-src 'none'", false);
header("Content-Security-Policy: img-src 'self'", false);
?&gt;
&lt;script&gt;alert(document.domain)&lt;/script&gt;
<img src="https://bref.sh/favicon-32x32.png">

Use the following serverless.yml to deploy the Lambda:

service: app

provider:
    name: aws
    region: eu-central-1

plugins:
    - ./vendor/bref/bref

functions:
    api:
        handler: index.php
        description: ''
        runtime: php-81-fpm
        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
        events:
            -   httpApi: '*'

# Exclude files from deployment
package:
    patterns:
        - '!node_modules/**'
        - '!tests/**'

Browse the Lambda URL.
Notice that the JavaScript code is executed as the Content-Security-Policy: script-src 'none' header has been removed.
Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.
Start a PHP server inside the project directory (e.g. php -S 127.0.0.1:8090).
Browse the index.php script through the PHP server (e.g. http://127.0.0.1:8090/index.php).
Notice that the JavaScript code is not executed as the Content-Security-Policy: script-src 'none' header has been kept.
Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.

Suggested Remediation

Concatenate all the multiple value headers’ values with a comma (,) as separator and return a single header with all the values to the API Gateway.

References

https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2

Affected configurations

Vulners

Node

brefbrefRange<2.1.13

VendorProductVersionCPE
brefbref*cpe:2.3:a:bref:bref:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
bref	bref	*	cpe:2.3:a:bref:bref::::::::

References

github.com/advisories/GHSA-99f9-gv72-fw9r

github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90

github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc

github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r

nvd.nist.gov/vuln/detail/CVE-2024-24753

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Related for GHSA-99F9-GV72-FW9R