Flox: Content spoofing through Referel header

2015-07-28T07:45:34
ID H1:79185
Type hackerone
Reporter pradeepch99
Modified 2015-08-29T03:15:17

Description

I found content spoofing/ text injection through referel header

Steps to reproduce: whenever you came to this page https://flox.io/404/ You'll see an error message like

404: Baaah! Nothing existed there, so now you’re here. You appear to be a traveller from a distant land.

From googling I found a link leads to https://flox.io/404/ and the link is http://files.flox.io/avrisk/about

To exploit this I create a html file <html> <body> <form method="GET" action="http://files.flox.io/avrisk/about"> <input type="submit" name="submit" value="submit"> </form> </body> </html> Note: use IE to work with this.

I hosted this locally at http://localhost/a.php But I've added some text as referer header like below

http://localhost/a.php?You're browsing privatelyFirefox won't remember any history for this window.That includes browsing history, search history, download history, web form history, cookies, and temporary internet files. However, files you download and bookmarks you make will be kept.While this computer won't have a record of your browsing history, your employer or internet service provider can still track the pages you visit.Learn More.

Now the page https://flox.io/404/ shows

404: Baaah! Nothing existed there, so now you’re here. We think you may have came from: http://localhost/a.php?You'rebrowsingprivatelyFirefoxwon'trememberanyhistoryforthiswindow.Thatincludesbrowsinghistory,searchhistory,downloadhistory,webformhistory,cookies,andtemporaryinternetfiles.However,filesyoudownloadandbookmarksyoumakewillbekept.Whilethiscomputerwon'thavearecordofyourbrowsinghistory,youremployerorinternetserviceprovidercanstilltrackthepagesyouvisit.LearnMore.

Here the problem is the referer header is stored on the server side. Whoever came to this https://flox.io/404/ page will get the same result. And it stays only for few minutes. Even though the attacker can make use of this and can insert some fake content to lead users to his site.

suppose he can put his public url in the error and can also put some message to go to that site