Closed
Bug 1313052
Opened 8 years ago
Closed 8 years ago
Host Header Injection - location.services.mozilla.com
Categories
(Cloud Services :: Server: Location, defect)
Cloud Services
Server: Location
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: guilhermescombatti, Assigned: ckolos)
References
()
Details
(Keywords: sec-low, wsec-injection, Whiteboard: [reporter-external] [web-bounty-form])
Attachments
(1 file)
53.07 KB,
image/jpeg
|
Details |
An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifies which website should process the HTTP request. The web server uses the value of this header to dispatch the request to the specified website. Each website hosted on the same IP address is called a virtual host. But what happens if we specify an invalid Host Header? If Apache receives an unrecognized Host Header, it passes it to the first virtual host defined in httpd.conf. Therefore, it's possible to send requests with arbitrary Host Headers to the first virtual host. Another way to pass arbitrary Host headers is to use the X-Forwarded-Host Header. In some configurations this header will rewrite the value of the Host header. Therefore it's possible to make a request like: Request: GET http://location.services.mozilla.com HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Response: HTTP/1.1 301 Moved Permanently Content-Type: text/html Date: Wed, 26 Oct 2016 12:51:09 GMT Location: https://google.com/ Server: nginx/1.6.0 Content-Length: 184 Connection: keep-alive Normally, most apps will reject any request that doesn't originate from the same origin . To fix, the application should reject anything that doesn't match the target domain. This may also be an error in the rewrite functions of the back-end web server as well. Regards, Guilherme
Flags: sec-bounty?
Reporter | ||
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
Do you have an actual attack that causes any problems for either the service or the users? The way its documented it looks like that if you specify an alternative host then you get a 301, which isnt going to cause any real problems is it?
Comment 3•8 years ago
|
||
For info - a curl script to demonstrate this issue: curl -H "Host: www.google.com" -i "http://location.services.mozilla.com/" Note that if the request is made to the https URL then https://location.services.mozilla.com/ is returned rather than the 301: curl -H "Host: www.google.com" -i "https://location.services.mozilla.com/" So its looking like this is an nginx config problem
Status: UNCONFIRMED → NEW
Component: Other → Location
Ever confirmed: true
Product: Websites → Cloud Services
Updated•8 years ago
|
Assignee: nobody → ckolos
Keywords: sec-low,
wsec-injection
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Comment 4•8 years ago
|
||
ckolos have you had a chance to take a look at this?
Flags: needinfo?(ckolos)
Comment 5•8 years ago
|
||
The severity of this bug doesn't not qualify for the bug bounty.
Flags: sec-bounty? → sec-bounty-
Updated•8 years ago
|
Group: websites-security
Assignee | ||
Comment 6•8 years ago
|
||
(In reply to Jeff Bryner [:jeff] (use NEEDINFO) from comment #4) > ckolos have you had a chance to take a look at this? missed it in queue. On it now.
Flags: needinfo?(ckolos)
Assignee | ||
Comment 7•8 years ago
|
||
This should now be fixed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•