CVE-2019-13611 python-engineio Origin Header Cross-Site WebSocket Hijacking Vulnerability – Jul 2019

Preface: Smart apps like your friend whenever you need one. Download the app and get a ride from a friendly driver within minutes.

Product background: Engine.IO is a lightweight transport protocol that enables real-time bidirectional event-based communication between web browsers and a server. Python-engineio server can form a Eventlet asynchronous server and includes a small Flask application that serves the HTML/Javascript to the client. Flask is a Python framework for creating web applications. It accelerates development of simple web applications by providing the required functionality. There are many companies in the world that use Flask for mobile application development.

Vulnerability details: A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.

Design flaw: Cross-Origin Resource Sharing (CORS) headers are only works in XHR requests, and ignored by clients during a websocket connection.

Current status: The vendor has confirmed the vulnerability; but remedy not available yet!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.