Silverstripe X-Forwarded-Host request hostname injection

2024-05-2316:59:25

CWE-601

GitHub Advisory Database

github.com

injection

hostname

vulnerability

header

reverse proxy

fix

remote url

caching

nginx

htaccess

7.3 High

AI Score

Confidence

Low

JSON

A potential hostname injection vulnerability has been found which could allow attackers to alter url resolution.

If a request contains the X-Forwarded-Host HTTP header a website would then use its value in place of the actual HTTP hostname. In cases where caching is enabled, this could allow an attacker to potentially embed a remote url as the base_url for any site. This would then cause other visitors to the site to be redirected unknowingly.

This header is necessary for servers running behind a reverse proxy (such as nginx). Such servers are likely not vulnerable to this risk.

A fix has been merged into the default installer, although existing projects which do not run behind a reverse proxy should update their htaccess as below:

&lt;IfModule mod_headers.c&gt;
    # Remove X-Forwarded-Host header sent as a part of any request from the web
    RequestHeader unset X-Forwarded-Host
&lt;/IfModule&gt;

Affected configurations

Vulners

Node

silverstripeframeworkRange<3.1.13

CPENameOperatorVersion
silverstripe/frameworklt3.1.13

CPE	Name	Operator	Version
	silverstripe/framework	lt	3.1.13

References

github.com/advisories/GHSA-25gq-jvx2-vg9x

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-013-1.yaml

github.com/silverstripe/silverstripe-framework/commit/75137dbab28c0efd28b07e50044a50c5af4e46aa

www.silverstripe.org/software/download/security-releases/ss-2015-013

7.3 High

AI Score

Confidence

Low

JSON