CVE-2017-16005: Input Validation

First published: Mon Jun 04 2018(Updated: )

Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names. ## Proof of Concept Consider this to be the initial, untampered request: ```http POST /pay HTTP/1.1 Host: example.com Date: Thu, 05 Jan 2012 21:31:40 GMT X-Payment-Source: src@money.com X-Payment-Destination: dst@money.com Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5... ``` And the request is intercepted and tampered as follows: ```http X-Payment-Source: dst@money.com // Emails switched X-Payment-Destination: src@money.com Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5... ``` In the resulting responses, both requests would pass signature verification without issue. ``` src@money.com\n dst@money.com\n ``` ## Recommendation Update to version 0.10.0 or higher.

Credit: support@hackerone.com support@hackerone.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-q257-vv4p-fg92
• alias/CVE-2017-16005
• collector/github-advisory
• collector/nvd-index
• collector/nvd-cve
• agent/type
• agent/author
• agent/description
• agent/event
• agent/remedy
• agent/first-publish-date
• agent/severity
• agent/weakness
• agent/tags
• agent/last-modified-date
• agent/references
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• package-manager/npm
• vendor/joyent
• canonical/joyent http-signature
• version/joyent http-signature/0.9.11