Nginx UI Cross-Site WebSocket Hijacking Vulnerability

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Nginx UI versions prior to 2.3.5. All WebSocket endpoints in these versions use a gorilla/websocket Upgrader that allows all origins, enabling malicious websites to hijack WebSocket connections. This issue is exacerbated by the application's use of unprotected cookies for authentication tokens, allowing attackers to establish unauthorized WebSocket connections with the privileges of logged-in administrators.

Impact

Exploitation allows attackers to intercept and manipulate WebSocket communications, access sensitive server information, read Nginx log files, gain interactive terminal access (with remote code execution capabilities if certain conditions are met), and perform system operations such as Nginx reloads or binary upgrades.

Reproduction

To reproduce this vulnerability, host a malicious webpage that establishes a WebSocket connection to an Nginx UI server with a logged-in administrator. The WebSocket connection will be accepted due to the lack of origin validation, allowing the attacker to access sensitive information and potentially execute commands on the server.

Remediation

Users are advised to update to Nginx UI version 2.3.5 or later. After updating, ensure that all WebSocket upgraders validate origins properly and that authentication tokens are stored in cookies with secure attributes. Additionally, consider adding CSRF token validation to WebSocket upgrade requests.