Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed. ------------------------------------------ [Additional Information] The rack-cors gem can be used to configure CORS access headers for any web site. A security researcher, Jens Mueller, notified us of exploitable CORS misconfiguration for the [REDACTED] web site. During the course of investigation, we realized the rack-cors 0.4.0 gem was generating regexes without proper trailing anchors for configured origin domains. The issue is fixed in version 0.4.1 of the gem, but no attention was drawn to the fix in https://github.com/cyu/rack-cors/blob/master/CHANGELOG and there were no assigned CVEs (as of early 2017) for the vulnerable versions of the gem. According to rubygems.org, there are at least 7,614,856 downloads for versions < 0.4.1 of the gem. The researcher, Jens, reports there are a number of top Alexa sites that have vulnerable CORS configurations. He tells us many of these sites are using the rack-cors gem. He has been scanning the web at large and has published a tool at https://github.com/RUB-NDS/CORStest to check for vulnerable CORS configurations. Affected sites are those that are running rack-cors < 0.4.1 and are specifying origin domains as string parameters: use Rack::Cors do allow do origins 'example.com', ... ... end We have been in contact with Jens and suggested filing a CVE for vulnerable versions of the gem. He said he does not have the time to fill out the paperwork, so we are publishing this for him. All credits to Jens for discovery of the vulnerability. ------------------------------------------ [VulnerabilityType Other] Incorrect Access Control ------------------------------------------ [Affected Product Code Base] rack-cors gem - Affected: 0.4.0 and below, Fixed: 0.4.1 ------------------------------------------ [Affected Component] https://github.com/cyu/rack-cors/blob/v0.4.0/lib/rack/cors.rb#L256 ------------------------------------------ [Attack Type] Remote ------------------------------------------ [CVE Impact Other] Incorrect handling of origin configuration results in CORS request authorization for malicious third-party sites/domains ------------------------------------------ [Attack Vectors] A malicious actor may perform actions on behalf of a logged-in user for example.com by convincing the logged-in user to visit example.com.example.net or example.com-example.net. This may be disguised via phishing with URL shortener services. E.g. "A politician does something crazy again! Read about it here: http://t.co/xyz" -> expands to example.com.example.net, performs CORS requests to example.com, and then redirects to the original article. ------------------------------------------ [Discoverer] Jens Mueller