Lucene search

K
osvGoogleOSV:GHSA-87PF-7X99-5XC4
HistoryMay 23, 2024 - 7:27 p.m.

Silverstripe Hostname, IP and Protocol Spoofing through HTTP Headers

2024-05-2319:27:33
Google
osv.dev
2
silverstripe
spoofing
http headers
reverse proxy
hostname
ip
protocol
security restriction
secure coding
apache
mod_env
.htaccess

7 High

AI Score

Confidence

Low

In it’s default configuration, SilverStripe trusts all originating IPs to include HTTP headers for Hostname, IP and Protocol. This enables reverse proxies to forward requests while still retaining the original request information. Trusted IPs can be limited via the SS_TRUSTED_PROXY_IPS constant. Even with this restriction in place, SilverStripe trusts a variety of HTTP headers due to different proxy notations (e.g. X-Forwarded-For vs. Client-IP). Unless a proxy explicitly unsets invalid HTTP headers from connecting clients, this can lead to spoofing requests being passed through trusted proxies.

The impact of spoofed headers can include Director::forceSSL() not being enforced, SS_HTTPRequest->getIP() returning a wrong IP (disabling any IP restrictions), and spoofed hostnames circumventing any hostname-specific restrictions enforced in SilverStripe Controllers.

Regardless on running a reverse proxy in your hosting infrastructure, please follow the instructions on Secure Coding: Request hostname forgery in order to opt-in to these protections. If your website is not behind a reverse proxy, you might already be protected if using Apache with mod_env enabled, and you have the following line in your .htaccess file: SetEnv BlockUntrustedIPs true.

7 High

AI Score

Confidence

Low