OAuth2-Proxy Underscore Header Normalization Vulnerability Leading to Privilege Escalation

A vulnerability in OAuth2-Proxy versions prior to 7.13.0 allows authenticated users to inject underscore variants of X-Forwarded-* headers. This injection can bypass the proxy's header filtering and potentially escalate privileges in upstream applications that normalize underscores to dashes, such as those built with WSGI frameworks like Django, Flask, FastAPI, or certain PHP applications. The issue arises because the proxy does not properly handle header names with underscores, which are dropped by default in Nginx but can be exploited in Apache.

Impact

Exploitation of this vulnerability can lead to unauthorized privilege escalation in applications that normalize HTTP headers, allowing an attacker to gain elevated rights or access within the application.

Reproduction

To reproduce this vulnerability, deploy OAuth2-Proxy in front of an application that normalizes underscores to dashes in HTTP headers. Then, send a request with an X-Forwarded-* header that includes underscores instead of dashes. The proxy will forward the request to the upstream application without stripping the header, allowing the injected value to bypass normal authentication or authorization checks.

Remediation

Users can update to OAuth2-Proxy version 7.13.0 or later, where this vulnerability has been patched. For those who need to maintain similar-looking headers without stripping them, a new configuration option called 'InsecureSkipHeaderNormalization' can be used.