Open in app

Sign in

Write

Sign in

Security Vulnerability in terriajs-server

Kevin Ring
Terria
Published in
2 min readAug 30, 2018

A senior Data61 engineer recently discovered a serious vulnerability in terriajs-server, the server-side component of TerriaJS-based applications.

A fix was implemented immediately and is now available. Upgrade to terriajs-server v2.7.4 or later as soon as possible. The vulnerability affects all prior versions.

The vulnerability manifests itself when an attacker:

  • Has access to a server in a domain that is whitelisted by the terriajs-server proxy such that they can control the responses returned by the server, or
  • Has the ability to modify the DNS records of a domain (or subdomain) whitelisted by the terriajs-server proxy.

In either of these scenarios, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in your hosting environment.

The fix has two parts:

  • When a proxied request responds with a redirect (e.g. a 301 response), we now verify that the target of the redirect is also in the proxy whitelist.
  • When resolving hostnames for proxying, we verify that the resolved IP address isn’t in the “blacklistedAddresses” list. By default, all internal network, loopback, and otherwise reserved IP addresses are in the blacklist. If your server has privileged access to any regular internet IP addresses, it is vital that you add those to the blacklist as well.

If you need to add more IP addresses to the blacklist, add this key to your devserverconfig.json (or similar) and add your IP range as necessary:

blacklistedAddresses: [
    // loopback addresses
    "127.0.0.0/8",
    "::1/128",
    // link local addresses
    "169.254.0.0/16",
    "fe80::/10",
    // private network addresses
    "10.0.0.0/8",
    "172.16.0.0/12",
    "192.168.0.0/16",
    "fc00::/7",
    // other
    "0.0.0.0/8",
    "100.64.0.0/10",
    "192.0.0.0/24",
    "192.0.2.0/24",
    "198.18.0.0/15",
    "192.88.99.0/24",
    "198.51.100.0/24",
    "203.0.113.0/24",
    "224.0.0.0/4",
    "240.0.0.0/4",
    "255.255.255.255/32",
    "::/128",
    "2001:db8::/32",
    "ff00::/8"
],

If you have any questions or concerns, you can contact us in any of the following ways;

Security

--

--

Kevin Ring
Terria

Written by Kevin Ring

28 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams