QID 984020

Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names. ## Proof of Concept Consider this to be the initial, untampered request: ``` POST /pay HTTP/1.1 Host: example.com Date: Thu, 05 Jan 2012 21:31:40 GMT X-Payment-Source: [email protected] X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5... ``` And the request is intercepted and tampered as follows: ``` X-Payment-Source: [email protected] // Emails switched X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5... ``` In the resulting responses, both requests would pass signature verification without issue. ``` [email protected]\n [email protected]\n ``` ## Recommendation Update to version 0.10.0 or higher.

Successful exploitation of this vulnerability may affect the confidentiality, integrity, and availability of the targeted user.