https://feed.craftedsignal.io/products/i18next-http-middleware/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-vuln/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-vuln/Versions of i18next-http-middleware before 3.9.3 are vulnerable to prototype pollution, path traversal, and server-side request forgery (SSRF) due to improper validation of user-controlled language and namespace parameters, potentially leading to denial of service or remote code execution.i18next-http-middleware versions prior to 3.9.3 are susceptible to prototype pollution, path traversal, and SSRF attacks. The vulnerability stems from the insufficient validation of the lng (language) and ns (namespace) parameters passed via HTTP requests to the getResourcesHandler and the missingKeyHandler. These handlers, intended to serve localization resources, expose attack surface because they process user-controlled input without proper sanitization. This allows attackers to manipulate object properties, access unintended files or internal services, and cause denial-of-service conditions. The vulnerability was discovered via an internal security audit. Defenders should upgrade to version 3.9.3 to remediate the risks.

Attack Chain

1. The attacker crafts an HTTP GET request to the /locales/resources.json endpoint, targeting the getResourcesHandler.
2. The request includes malicious lng and ns query parameters, such as lng=__proto__&ns=isAdmin, or ns=../../etc/passwd.
3. The getResourcesHandler extracts the lng and ns parameters without sufficient validation.
4. The lng and ns values are passed to utils.setPath(resources, [lng, ns], ...) which allows writing to the Object prototype if lng is __proto__.
5. The lng and ns values are passed to i18next.services.backendConnector.load(languages, namespaces, ...) to load resource bundles. With filesystem or HTTP backends, this can enable path traversal or SSRF if ns or lng contain malicious path segments.
6. Alternatively, the attacker sends a POST request with a body containing a malicious __proto__ key to missingKeyHandler, for example {"__proto__": {"isAdmin": true}}.
7. The missingKeyHandler iterates over the request body using for...in, including inherited prototype properties, and forwards the malicious data into saveMissing.
8. Successful exploitation leads to prototype pollution, arbitrary file access, SSRF, or denial of service.

Impact

Successful exploitation can have significant consequences. Prototype pollution allows attackers to manipulate object properties globally, leading to broken authorization checks (e.g., bypassing if (user.isAdmin)), type confusion errors, or potentially remote code execution. Path traversal enables access to sensitive files on the server, like configuration files or password databases, while SSRF allows attackers to interact with internal services. Finally, the unbounded growth of the i18next.options.ns list and repeated backend load calls can lead to denial of service due to memory and CPU exhaustion. This can impact availability of the service and potentially other services on the same host.

Recommendation

• Upgrade to i18next-http-middleware version 3.9.3 or later to address the vulnerabilities.
• Deploy the Sigma rules provided below to detect exploitation attempts targeting the getResourcesHandler and missingKeyHandler endpoints.
• If upgrading is not immediately feasible, implement a WAF rule as a partial mitigation to block requests containing __proto__, constructor, prototype, .., or control characters in lng/ns query parameters or body keys as suggested in the advisory.

]]>highadvisoryprototype-pollutionpath-traversalssrfdenial-of-servicei18nexthttps://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-crlf/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-crlf/i18next-http-middleware versions before 3.9.3 are vulnerable to HTTP response splitting and denial-of-service attacks due to unsanitized Content-Language headers, potentially leading to session fixation, cache poisoning, reflected XSS, or complete service disruption depending on the Node.js version.The i18next-http-middleware library, in versions prior to 3.9.3, exhibits a vulnerability stemming from insufficient sanitization of user-controlled language values. These values are written into the Content-Language HTTP response header. The utils.escape() function, employed for sanitization, performs HTML-entity encoding but fails to strip critical characters like carriage return and line feed. When the application uses an older i18next (< 19.5.0) or produces raw detected values, CRLF sequences within the lng parameter reach res.setHeader('Content-Language', ...) without proper escaping. This flaw can result in HTTP response splitting (Node.js < 14.6.0) or a denial-of-service condition (Node.js >= 14.6.0), impacting all concurrent users of the affected process. The same vulnerability is triggered multiple times per request. This issue is resolved in version 3.9.3.

Attack Chain

1. The attacker crafts a malicious HTTP request targeting an application using a vulnerable version of i18next-http-middleware. The request includes a lng parameter with a payload containing CRLF sequences (e.g., %0d%0a).
2. The i18next-http-middleware receives the request and extracts the language value from the lng parameter.
3. The extracted language value is passed through utils.escape(), which performs HTML-entity encoding but does not remove CRLF sequences.
4. The middleware attempts to set the Content-Language header using res.setHeader(), incorporating the unsanitized language value.
5. If the Node.js version is less than 14.6.0, the res.setHeader() function processes the CRLF sequences, resulting in HTTP response splitting. This allows the attacker to inject arbitrary headers and control parts of the response body.
6. If the Node.js version is 14.6.0 or greater, res.setHeader() throws an ERR_INVALID_CHAR error because the value contains CRLF sequences.
7. The middleware fails to catch this error, and the exception propagates, leading to an unhandled exception.
8. The unhandled exception causes the Node.js process to terminate or become unresponsive, resulting in a denial-of-service condition for all concurrent users sharing that process.

Impact

Successful exploitation allows attackers to inject arbitrary HTTP headers, leading to session fixation, cache poisoning, or reflected XSS attacks. In Node.js versions 14.6.0 and later, exploitation leads to a denial-of-service condition, potentially impacting all users of an application instance. This can result in significant disruption of service availability and potential data compromise. The number of affected applications is unknown, but any application using a vulnerable version of i18next-http-middleware is at risk.

Recommendation

• Upgrade i18next-http-middleware to version 3.9.3 or later to address the vulnerability by patching the utils.sanitizeHeaderValue() function, as described in the advisory.
• Deploy the Sigma rule Detect i18next-http-middleware CRLF Injection Attempt to monitor for exploitation attempts by detecting suspicious URL-encoded characters in HTTP requests.
• Implement a Web Application Firewall (WAF) rule to reject requests containing \r or \n characters in query parameters, cookies, and path segments as a partial mitigation, as suggested in the advisory.
• Enable web server logging to ensure events related to potential exploits are captured for analysis.

]]>mediumadvisorycrlf-injectionhttp-response-splittingdenial-of-servicei18next