Netlify vulnerable to XSS, SSRF attacks via cache poisoning

Netlify vulnerable to XSS, SSRF attacks via cache poisoning


The problem has since been fixed

A vulnerability in Netlify could allow an attacker to achieve persistent cross-site scripting (XSS) or full-response server-side request forgery on any supported website.

Netlify is a web development platform that also offers serverless hosting and backend services for websites.

The researchers found that Netlify was open to XSS attacks due to a cache poisoning vulnerability.

Read more about the latest web security vulnerability news

The security flaw, tracked as CVE-2022-39239, allowed an attacker to bypass the source image domain’s whitelist by sending specially crafted headers, causing the driver to load and return arbitrary images.

Since the response is cached globally, the image would be served to visitors without the need to set these headers.

Therefore, an attacker could achieve XSS by requesting a malicious SVG file with embedded scripts, which would then be applied from the site’s domain.

GitHub’s notice explains: “Note that this does not apply to images uploaded to tags, as scripts are not executed in this context.

Add: “The image URL can be set in the header independently of the request URL, meaning any image on the site that hasn’t been previously cached can have its memory she falls poisoned.”

URL Parsing Danger

A blog post by Sam Curry, one of the researchers involved in the discovery, explained that the bug affected several websites including Gemini, PancakeSwap, Docusign, Moonpay and Celo.

Curry wrote: “It is possible to achieve cross-site scripting and server-side request forgery on any website running the library”” if developers have whitelisted a host in the configuration file due to a bad URL parsing in library “”.

“This could be abused on a large number of websites as the “” route is installed. [by default] on many Netlify installations.”

The issue was reported on August 24, 2022 and patched two days later in version 1.2.3.

“The issue is no longer exploitable on Netlify as a CDN [content delivery network] now sanitize the corresponding header. The contents of the cache can be cleared by redeploying the site,” the notice reads.

More technical details can be found in Curry’s write-up.

The Daily Swig has reached out to Curry for further comment and will update this article accordingly.

YOU MIGHT LIKE IT TOO The tarfile path traversal bug from 2007 is still present in 350k open source repositories



Source link

Related post

NIT Srinagar’s Torus club organises model quiz

NIT Srinagar’s Torus club organises model quiz

Torus club of NIT Srinagar is organizing a modeling competition Posted on Friday, January 7, 2022 Srinagar, January 06: Torus-design thinking…
ADA Highlights the Best Ruby on Rails Development Companies

ADA Highlights the Best Ruby on Rails Development Companies

Chained by competition rather than obsolescence, Ruby on Rails remains preferred by many web development companies” – ADA Reports! UNITED STATES,…
Wix.com rises as Oppenheimer upgrades, citing activist involvement as ‘positive catalyst’

Wix.com rises as Oppenheimer upgrades, citing activist involvement as…

wavemovies Wix.com (NASDAQ:WIX) shares rose Thursday as investment firm Oppenheimer upgraded the web development company, noting that the stake from activist…

Leave a Reply

Your email address will not be published.