Lucene search

K
osvGoogleOSV:GHSA-XHFX-HGMF-V6VP
HistoryMar 10, 2021 - 9:07 p.m.

Potential Host Header Poisoning on misconfigured servers

2021-03-1021:07:25
Google
osv.dev
7

0.001 Low

EPSS

Percentile

36.8%

Impact

When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:

Patches

A feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.

Workarounds

Alternative Workaround

Check to make sure that your web server does not accept any hostname when serving your web application.

  1. Add an entry called testing.tld to your computer’s host file and direct it to your server’s IP address
  2. Open the address testing.tld in your web browser
  3. Make sure an October CMS website is not available at this address

If an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.

References

Reported by Abdullah Hussam

For More Information

If you have any questions or comments about this advisory:

Threat Assessment

<img width=“1108” alt=“Screen Shot 2021-01-15 at 4 12 57 PM” src=“https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png”>

0.001 Low

EPSS

Percentile

36.8%

Related for OSV:GHSA-XHFX-HGMF-V6VP