[ANN] keter 1.8.3 (security fix)

This release for keter includes a security fix for the default response when the host is not found.

All keter users are advised to upgrade to the latest version.

The hostname was inserted in the body without escaping, so an attacker could spoof the hostname to allow execution of arbitrary code (the hostname would become that arbitrary code in this case). This is sometimes called an XSS attack.

I confirmed this with netcat eg:

❯ nc localhost 8080
GET / HTTP/1.1
HOST: <script>alert("xx");</script>

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Tue, 19 Apr 2022 17:30:33 GMT
Server: Warp/3.3.15
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

00D4
<!DOCTYPE html>
<html><head><title>Welcome to Keter</title></head><body><h1>Welcome to Keter</h1><p>The hostname you have provided, <code><script>alert("xx");</script></code>, is not recognized.</p></body></html>
0

That’s on keter 1.5, so it’s safe to assume this issue affects pretty much all versions out there.

1.8 allowed overriding of this default response with a custom error page, but it added a header with the unescaped host value as well.
If configured like this it’d be more difficult to exploit. You’d have to insert two line breaks to get the browser to accept the header as html, but there is a builder preventing that.

In 1.8.3 onwards all of these issues are fixed.

Special thanks to Max @ulidtko for spotting this and providing a patch.

7 Likes