[Mod_nss-list] mod_nss and faked header = unvalidated redirect?

Dirk Wetter dirk at owasp.org
Fri Feb 21 11:37:50 UTC 2014 

Hi there,


Am 02/06/2014 04:58 PM, schrieb Dirk Wetter:
> 
> Hi,
> 
> one to two questions.
> 
> Are there any known bugs or config variables which prevent this from
> happening and is that reproducible?
> 
> 
> ----snip
> curl -v -L -i -k -X 'GET' -H 'Host: <BADHOST>' <TARGET:LOGINURL>
> 
> [..SSL handshake..]
> 
> GET /<LOGINURL> HTTP/1.1
>> Accept: */*
>> [..rest of header omitted ..]
>> Host: BADHOST                                 <---------!
> 
> 
> * upload completely sent off: 48out of 48 bytes
> < HTTP/1.1 302 Moved Temporarily
> HTTP/1.1 302 Moved Temporarily
> < Date: Mon, 03 Feb 2014 15:00:04 GMT
> Date: Mon, 03 Feb 2014 15:00:04 GMT
> < Server: Apache
> Server: Apache
> < Location: <BADHOST>/<302PATH_ON_TARGET>
> Location:  <BADHOST>/<302PATH_ON_TARGET>         <---------!
> < Content-Length: 0
> Content-Length: 0
> < Content-Type: text/plain
> Content-Type: text/plain
> 
> <
> * Connection #0 to  <TARGET> host left intact
> * Issue another request to this URL: '<BADHOST>/<302PATH_ON_TARGET>'
> * About to connect() to BADHOST port 443 (#1)
> [..SSL handshake..]
> GET /<302PATH_ON_TARGET> HTTP/1.1
> Host: BADHOST
> [..]
> 
> 
>  HTTP/1.1 404 Not Found
> HTTP/1.1 404 Not Found
> < Server: nginx
> Server: nginx
> < Date: Mon, 03 Feb 2014 15:00:05 GMT
> Date: Mon, 03 Feb 2014 15:00:05 GMT
> < Content-Type: text/html
> Content-Type: text/html
> < Content-Length: 162
> Content-Length: 162
> < Connection: keep-alive
> Connection: keep-alive
> 
> ---snap
> 
> The <302PATH_ON_TARGET> is in this example an URL for retrying form-based authentication,
> so that issue has a quite dramatic security impact if the server doesn't throw e.g. a
> 400 but takes user input (here: host header) and redirects thereto.
> 
> Needless to ask: It's certainly mod_nss. mod_ssl (same machine, rest of configuration
> not touched) doesn't show this.


I hope there's something going on behind the scenes, as my
posting is > 2 weeks ago.

Please let me know if this is the wrong list or further input/explanation is needed --
IMHO this bug (if reproducible) should be labeled at least as medium if not high risk.


Cheers,

Dirk

More information about the Mod_nss-list mailing list