0

Follow up: If I have a valid certificate for xxxxx.github.com, can't I read *.github.com's cookies?

I was asked to ask this as a separate question. This isn't a duplicate question.

Okay, so I asked the above question coz I'm concerned of the following situation:

A domain sets auth cookies to *.target.com as multiple subdomains running different services need auth cookies. Also one such service is xxxx.target.com. Here, I am able to upload files under my sub-subdomain that is I can upload files as myname.xxxx.target.com/myownfilename.extn. Is this vulnerable?

For eg., Lets Encrypt asks to upload a file in /.well-known/acme-challenge/. For my case this isn't possible but I can upload a file like /somefile.extn.

My question is, is /.well-known/acme-challenge/ this path a standard for http file upload verification? Is the target.com vulnerable if I can upload file to /myfile.extn?

Is there any other ways to get the domain verification done in this case to get valid TLS cert?

In short, if a server, say target.com have auth cookies set to *.target.com and also allow users to upload files under target's subdomain but not exactly to /.well-known/acme-challenge/, is this situation vulnerable? Or, should the server be considered safe? I'm more concerned that other CA may have different http file upload verification methods that could put such servers at risk.

1 Answers1

1

Here, I am able to upload files under my sub-subdomain that is I can upload files as myname.xxxx.target.com/myownfilename.extn. Is this vulnerable?

As long as an upload to your sub-subdomain does not get mapped to a URL in the main domain which can be used for domain validation I don't see any problem here. And if this is the case depends on the specific server setup which is unknown.

... is /.well-known/acme-challenge/ this path a standard for http file upload verification

This is the standard path defined in the ACME protocol which is used by Let's Encrypt and some others.

... Is there any other ways to get the domain verification done in this case to get valid TLS cert?

The scenario you describe is not that uncommon. It would be very bad if this could be used to get a valid TLS certificate. Given how common it is I don't think that you can get a valid certificate this way.

In short, if a server, say target.com have auth cookies set to *.target.com and also allow users to upload files under target's subdomain but not exactly to /.well-known/acme-challenge/, is this situation vulnerable?

The scope of the auth cookies has nothing inherently to do where a file uploaded to some subdomain will occur in the main domain (if at all). Based on only these information there is no vulnerability.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434