chrismccord

chrismccord

Creator of Phoenix

Phoenix 1.3, 1.4, 1.5, and 1.6 security releases for wildcard check_origin vulnerability

Phoenix 1.3.5, 1.4.18, 1.5.14, and 1.6.14 have been released to resolve a vulnerability in wildcard check_origin configurations.

Previously, our documentation points to a wilcard example of:

check_origin: [
  "//*.other.com"
]

Which should allow any subdomain of “other.com”, but our comparison for "//*.other.com" would allow api.any-other.com, which would allow an attacker to register a domain with a custom prefix of a target domain and pass origin checks. These releases ensures the host comparison only matches subdomains or the host itself.

Who is affected?

Only those using a wildcard check origin are affected, and potential exploits are limited allowing unauthenticated channel connections from a bad host. Because LiveView adds its own csrf token to the connection by default, LiveView applications with wildcard check origin would refuse connection under this scenario. Additionally, channel applications utilizing token based authentication would require the attacker to also have a valid token to connect from a bad host. Phoenix channels does not allow access to cookies, so an attacker would also not be able to pass their own cookies from a bad host.

If you are unable to upgrade to a new version, a workaround to mitigate the issue is to use an extra . in your wildcard, such as "//*..other.com"

Thank you to James Van Lommel at Semsee for disclosing this vulnerability and working with us to establish a fix.

–Chris

Most Liked

josevalim

josevalim

Creator of Elixir

If you upgrade, you must not change the pattern to "//*..other.com". Doing so means it would allow foo..other.com but not foo.other.com.

hubertlepicki

hubertlepicki

Hey @chrismccord can you clarify if we have to upgrade and change the pattern to “//*…other.com” or if we upgrade we don’t have to change it?

hubertlepicki

hubertlepicki

Thank you, that’s clear now.

Where Next?

Popular in Phoenix News Top

chrismccord
LiveView 1.0.0-rc.0 is out! This 1.0 milestone comes almost six years after the first LiveView commit. I published a Phoenix blog highli...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30048 115
New
New
chrismccord
I’m pleased to announce the first release candidate of Phoenix 1.6.0 has landed on the heels of a fresh LiveView 0.16 release! This relea...
New
josevalim
We were notified by Panagiotis Nezis that certain payloads could take a long time to process when converted to integers. New Erlang/OTP v...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
chrismccord
The final release of Phoenix 1.7 is out! Most of the new features have been outlined in the 1.7 RC thread, but it has been a few months s...
New
chrismccord
Announcement post dup’d here for convenience: Phoenix 1.7.2 is out! This minor release includes a couple features worth talking about. ...
New
chrismccord
Phoenix 1.3.5, 1.4.18, 1.5.14, and 1.6.14 have been released to resolve a vulnerability in wildcard check_origin configurations. Previou...
New
chrismccord
Check the announcement blog for details! Blog duped here for convenience: Phoenix 1.8.0-rc released! The first release candidate of P...
414 11568 167
New

Other popular topics Top

gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 45766 226
New
ycv005
I have followed this StackOverflow post to install the specific version of Erlang. And When I am running mix ecto.setup then getting fol...
New
lk-geimfari
What is most correct way to open, read and parse JSON file with poison? For example if we have example.json file in root of some projec...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
magnetic
Hey :wave:t3: Elixir community, I’ve been learning Elixir, and working on some side projects. My editor of choice is VSCode, and althoug...
New

We're in Beta

About us Mission Statement