2019-SV4 Web Referrer Leakage

affects OMERO.web versions 5.6.1 and earlier

back to Advisories

Synopsis

If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the URL and query parameters may be exposed in the referrer header seen by the target.

Background

When a hyperlink on a webpage is clicked most browsers default to sending the full URL of the current page in the HTTP referrer header to the target server of the hyperlink. If the URL of the current page includes sensitive information, for example query parameters or object IDs, this information is sent in the referrer header and can be seen by the linked server.

This vulnerability is identified as CVE-2020-7932.

Affected Packages

OMERO.web, all versions prior to 5.6.3.

Impact

Major severity.

CVSS score 5.9 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:N.

Workaround

Set the HTML <meta> Referrer tag in all OMERO.web django templates and/or set the Referrer-Policy header in the webserver proxying OMERO.web. Note that Internet Explorer 11 has limited support for <meta> Referrer and no support for the Referrer-Policy header.

Resolution

All OMERO.web servers should be upgraded to at least 5.6.3. If your users are using Internet Explorer 11 (IE11) consider setting omero.web.html_meta_referrer to origin instead of the default origin-when-crossorigin which is not understood by IE11.

For additional information see:


back to top