Bug#1032029: mosquitto ignores ip address for websocket listeners

Wed, 15 Mar 2023 15:39:15 -0700 

Unfortunately this was marked as spam, so I didn't see it.

The attached patch will deny the use of listener bind addresses for
websockets listeners. I also note that using a more recent version of
libwebsockets does not display the same problem.

Regards,

Roger

On Sun, 26 Feb 2023 at 19:39, Helmut Grohne <hel...@subdivi.de> wrote:

> Package: mosquitto
> Version: 2.0.11-1
> Severity: serious
> Tags: security
> X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
>
> If you configure a websocket listener for mosquitto with an IP address
> to bind to, mosquitto will instead bind the wildcard address. This
> renders a secure configuration insecure.
>
> A simple configuration producing this behaviour is a default
> installation together with one config update:
>
> $ cat /etc/mosquitto/conf.d/listen.conf
> bind_address localhost
> listener 9001 127.0.0.1
> protocol websockets
> $
>
> If you (re)start mosquitto, you can see the insecure bind:
>
> $ ss -tlp
> ...
> LISTEN    0         4096                     *:9001                   *:*
>       users:(("mosquitto",pid=269,fd=7))
> ...
> $
>
> The mosquitto.conf manual page in section 5 says that for websockets,
> you can only give an IP address as bind address, which kinda implies
> that you can given an IP address there. I think it is a reasonable
> expectation that binding to 127.0.0.1 should be secure.
>
> I am filing this as severity serious, because normally a security
> vulnerability would be grave, but this vulnerability only surfaces in a
> (possibly common) non-default configuration. Hence lowering to serious.
>
> I note (mostly for myself) that the following invocation reproduces the
> problem:
>
> debvm-create -- --include iproute2,mosquitto --customize-hook='printf
> "bind_address localhost\\nlistener 9001 127.0.0.1\\nprotocol websockets\\n"
> > "$1/etc/mosquitto/conf.d/listen.conf"'
>
> Helmut
>

diff --git a/src/conf.c b/src/conf.c
index 592ea9796..046ccefb5 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1837,6 +1837,10 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 						*/
 						}else if(!strcmp(token, "websockets")){
 #ifdef WITH_WEBSOCKETS
+							if(cur_listener->host){
+								log__printf(NULL, MOSQ_LOG_ERR, "Error: Websockets does not allow a listener bind address.");
+								return MOSQ_ERR_INVAL;
+							}
 							cur_listener->protocol = mp_websockets;
 #else
 							log__printf(NULL, MOSQ_LOG_ERR, "Error: Websockets support not available.");

Reply via email to