When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:
A feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.
Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 & https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.
Check that the configuration setting cms.linkPolicy
is set to force
.
Check to make sure that your web server does not accept any hostname when serving your web application.
testing.tld
to your computer’s host file and direct it to your server’s IP addresstesting.tld
in your web browserIf an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.
Reported by Abdullah Hussam
If you have any questions or comments about this advisory:
<img width=“1108” alt=“Screen Shot 2021-01-15 at 4 12 57 PM” src=“https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png”>
github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp
nvd.nist.gov/vuln/detail/CVE-2021-21265
packagist.org/packages/october/backend