[Mod_nss-list] mod_nss and faked header = unvalidated redirect?
Dirk Wetter
dirk at owasp.org
Fri Feb 21 11:37:50 UTC 2014
Hi there,
Am 02/06/2014 04:58 PM, schrieb Dirk Wetter:
>
> Hi,
>
> one to two questions.
>
> Are there any known bugs or config variables which prevent this from
> happening and is that reproducible?
>
>
> ----snip
> curl -v -L -i -k -X 'GET' -H 'Host: <BADHOST>' <TARGET:LOGINURL>
>
> [..SSL handshake..]
>
> GET /<LOGINURL> HTTP/1.1
>> Accept: */*
>> [..rest of header omitted ..]
>> Host: BADHOST <---------!
>
>
> * upload completely sent off: 48out of 48 bytes
> < HTTP/1.1 302 Moved Temporarily
> HTTP/1.1 302 Moved Temporarily
> < Date: Mon, 03 Feb 2014 15:00:04 GMT
> Date: Mon, 03 Feb 2014 15:00:04 GMT
> < Server: Apache
> Server: Apache
> < Location: <BADHOST>/<302PATH_ON_TARGET>
> Location: <BADHOST>/<302PATH_ON_TARGET> <---------!
> < Content-Length: 0
> Content-Length: 0
> < Content-Type: text/plain
> Content-Type: text/plain
>
> <
> * Connection #0 to <TARGET> host left intact
> * Issue another request to this URL: '<BADHOST>/<302PATH_ON_TARGET>'
> * About to connect() to BADHOST port 443 (#1)
> [..SSL handshake..]
> GET /<302PATH_ON_TARGET> HTTP/1.1
> Host: BADHOST
> [..]
>
>
> HTTP/1.1 404 Not Found
> HTTP/1.1 404 Not Found
> < Server: nginx
> Server: nginx
> < Date: Mon, 03 Feb 2014 15:00:05 GMT
> Date: Mon, 03 Feb 2014 15:00:05 GMT
> < Content-Type: text/html
> Content-Type: text/html
> < Content-Length: 162
> Content-Length: 162
> < Connection: keep-alive
> Connection: keep-alive
>
> ---snap
>
> The <302PATH_ON_TARGET> is in this example an URL for retrying form-based authentication,
> so that issue has a quite dramatic security impact if the server doesn't throw e.g. a
> 400 but takes user input (here: host header) and redirects thereto.
>
> Needless to ask: It's certainly mod_nss. mod_ssl (same machine, rest of configuration
> not touched) doesn't show this.
I hope there's something going on behind the scenes, as my
posting is > 2 weeks ago.
Please let me know if this is the wrong list or further input/explanation is needed --
IMHO this bug (if reproducible) should be labeled at least as medium if not high risk.
Cheers,
Dirk
More information about the Mod_nss-list
mailing list