Movim, a popular decentralized social networking platform, was found to have a security vulnerability present in versions prior to .22. The vulnerability, termed CVE-2023-2848, is a Cross-Site WebSocket Hijacking issue that could potentially allow attackers to intercept WebSocket communications. This article presents the details of this vulnerability, its implications, how to exploit it, and how to fix your Movim installation if it is affected.
Background
WebSocket is a communications protocol providing low-latency, bidirectional communication channels over a single, long-lived connection. This makes it the ideal choice for applications requiring real-time communication, such as chat and video streaming. Unfortunately, due to the missing header validation in the early versions of Movim, the WebSocket implementation was left vulnerable to Cross-Site WebSocket Hijacking.
Details of CVE-2023-2848
Movim prior to version .22 was affected by a Cross-Site WebSocket Hijacking vulnerability. When a user logs into their Movim account, the server creates a WebSocket connection to facilitate real-time communication. A missing validation of the 'Origin' and 'Sec-WebSocket-Extensions' headers in the WebSocket handshake, allows an attacker to potentially hijack the WebSocket connection by sending crafted requests initiating a connection to the vulnerable Movim server.
Here's a sample of the code snippet in the vulnerable versions of Movim which lack the appropriate header validation:
const WebSocket = require('ws');
const server = new WebSocket.Server({ port: 808 });
server.on('connection', (socket) => {
socket.on('message', (message) => {
console.log(Received message: ${message});
socket.send(Echo: ${message});
});
});
Exploiting the Vulnerability
An attacker can exploit the vulnerability by crafting and sending a malicious WebSocket request from their own website, which an unsuspecting user will visit. The user's browser will send the WebSocket request to the vulnerable Movim server containing the 'Origin' header set to the attacker's website domain. Due to the missing validation in Movim, the server will accept this connection and potentially leak sensitive information or even allow the attacker to manipulate user data.
Here's a sample exploit code
<!DOCTYPE html>
<html>
<head>
<script>
window.onload = function() {
const maliciousSocket = new WebSocket('wss://vulnerable-movim-server.example.com');
maliciousSocket.onopen = () => {
maliciousSocket.send('Hello, I am a malicious request!');
};
};
</script>
</head>
<body>
<h1>Malicious Website</h1>
</body>
</html>
Check out the following links for more information and background on this vulnerability
1. Movim's GitHub Repository - https://github.com/movim/movim
2. WebSocket Security Issues - https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
3. CVE-2023-2848 Details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2848
How to Fix
The vulnerability was patched in Movim version .22. Therefore, to secure your Movim installation, ensure you upgrade to the latest version available. You can download the latest version of Movim from their official website - https://movim.eu/.
In Conclusion
If you are running Movim on your server, it's essential to keep up-to-date with security patches and always use the latest version available to minimize the risk of exploitation. By taking preventive measures and understanding the potential risks involved, we can bolster the security of the overall ecosystem and safeguard our data.
Timeline
Published on: 09/14/2023 12:15:00 UTC
Last modified on: 09/20/2023 15:08:00 UTC