Description

In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts and even generate password resets links with its value. This is a very bad idea, because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails.

Remediation

The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information.

References

Practical HTTP Host header attacks

Apache

nginx

Automated Detection of Host Header Attacks

Related Vulnerabilities

Play Framework Improper Input Validation Vulnerability (CVE-2015-2156)

Ektron CMS unauthenticated code execution and Local File Read

WordPress Plugin Cms Pack TimThumb Arbitrary File Upload (1.3)

ownCloud Improper Input Validation Vulnerability (CVE-2014-2585)

PHP mail function ASCII control character header spoofing vulnerability

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality