HAPI FHIR Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect

A vulnerability in HAPI FHIR prior to version 6.9.4 allows for the leakage of authentication credentials, including Bearer tokens, Basic auth credentials, and API keys. The issue arises in the 'ManagedWebAccessUtils.getServer()' method, which uses 'String.startsWith()' to match request URLs against configured server URLs for authentication. Due to the lack of a trailing slash or host boundary check, an attacker-controlled domain can match the prefix of a legitimate server URL and intercept credentials when the HTTP client follows a redirect to that domain. This vulnerability affects any deployment that configures server authentication in 'fhir-settings.json' and makes outbound HTTP requests to terminology servers.

Impact

Exploitation of this vulnerability allows for the theft of authentication credentials, which can be used to impersonate the user and make authenticated requests to FHIR servers, potentially accessing or modifying clinical terminology data. Additionally, the vulnerability could be exploited to bypass HTTPS enforcement by tricking the application into treating an attacker-controlled domain as 'local'.

Reproduction

The vulnerability can be reproduced by configuring a FHIR server URL in 'fhir-settings.json' without a trailing slash. When a request is made to the server that follows a redirect to an attacker-controlled domain matching the prefix of the configured URL, the authentication credentials are leaked to the attacker.

Remediation

Users are advised to update to HAPI FHIR version 6.9.4 or later, and to ensure that FHIR server URLs are configured correctly with trailing slashes. Additionally, consider reintroducing host-equality checks for redirects to prevent credential leakage.