You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Evelyn Liang (Jira)" <ji...@apache.org> on 2022/08/24 15:47:00 UTC

[jira] [Created] (HDFS-16741) Validate host header value to prevent host header injection

Evelyn Liang created HDFS-16741:
-----------------------------------

             Summary: Validate host header value to prevent host header injection
                 Key: HDFS-16741
                 URL: https://issues.apache.org/jira/browse/HDFS-16741
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: webhdfs
    Affects Versions: 3.3.4, 3.3.3
            Reporter: Evelyn Liang
         Attachments: host header injection issue.png

Description 

In many cases, developers trust the HTTP Host header value to generate links, import scripts and even generate password reset links. This implementation can be abused because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails. 

*Affected API:*
http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=OPEN
 other APIs that allow redirect is also affected by this issue.

Risk Assessment 

It is possible for a remote attacker to inject custom value into host header and can force application to redirect legitimate users to a web page or domain that he/she controls. The user may be presented with a look alike phishing page of the application using which the attacker can upload or can execute malicious content in user's client. 


Fix Recommendation 

The web application should validate whether the host header value is same as that of the domain serving the request. It should also create a dummy vhost that catches all requests with unrecognized Host headers.


Steps to reproduce: 
 # Capture the API request using an interceptor and replace the value of host header with the attackers web server.
 # Now forward the edited request and it is observed that API is getting redirected to attacker supplied URL in host header. 
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org