Algernon Access-Control-Allow-Origin Misconfiguration in SSE Event Server

A cross-origin resource sharing (CORS) vulnerability has been identified in Algernon versions prior to 1.17.7. The issue arises in the server-sent events (SSE) event server, where the Access-Control-Allow-Origin response header was fixed to the wildcard '*', regardless of the request's Origin. This misconfiguration allows any third-party webpage to establish a cross-origin EventSource connection to the SSE port and access the live filename stream via JavaScript. The vulnerability is exploitable because EventSource requests do not include cookies or preflight options, making the wildcard sufficient for unauthorized access.

Impact

Exploitation of this vulnerability allows for cross-origin read access to the SSE event stream, without any server-side awareness of the data being accessed. This could lead to unintentional disclosure of file change events to a third party.

Reproduction

To reproduce this vulnerability, run the Algernon server with the SSE event listener active. Then, open a third-party webpage in a different tab that includes a script to connect to the SSE endpoint. The Access-Control-Allow-Origin header will allow the cross-origin request, and the webpage can read the SSE stream data.

Remediation

Update to Algernon version 1.17.7 or later, and consider removing the dedicated SSE event server port code path to simplify CORS handling.