A security researcher has discovered a severe vulnerability in the popular, open source event-driven platform StackStorm that could allow remote attackers to trick developers into unknowingly execute arbitrary commands on targeted services.StackStorm, aka “IFTTT for Ops,” is a powerful event-driven automation tool for integration and automation across services and tools that allows developers to configure actions, workflows, and scheduled tasks, in order to perform some operations on large-scale servers.For example, you can set instructions (if this, then that) on Stackstorm platform to automatically upload network packet files to a cloud-based network analyze service, like CloudShark, in events when your security software detects an intrusion or malicious activity in the network.
Since StackStorm executes actions—which can be anything, from the HTTP request to an arbitrary command—on remote servers or services that developers integrate for automated tasks, the platform runs with quite high-privileges.
According to the details Barak Tawily, an application security researcher, shared with The Hacker News prior to the release, the flaw resided in the way the StackStorm REST API improperly handled CORS (cross-origin resource sharing) headers, eventually enabling web browsers to perform cross-domain requests on behalf of the users/developers authenticated to StackStorm Web UI.

“Specifically what the StackStorm API returned for Access-Control-Allow-Origin. Prior to [StackStorm] 2.10.3/2.9.3, if the origin of the request was unknown, we would return null,” StackStorm said in a blog post about the vulnerability.”As Mozilla’s documentation will show, and client behavior will back up, null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API.”

[embedded content]
The Access-Control-Allow-Origin header is critical to resource security that specifies which domains can access a site’s resources, which if left misconfigured on a site, could allow other malicious sites to …

Go to Source


Comments are closed.