You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/05/04 22:00:16 UTC
[Bug 66593] New: Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks
https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
Bug ID: 66593
Summary: Connector attribute allowHostHeaderMismatch=false
fails to reject host header injection attacks
Product: Tomcat 9
Version: 9.0.73
Hardware: PC
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: alvaro.garay@ibm.com
Target Milestone: -----
Hi,
It appears Tomcat Connector layer is not protecting the API from host header
injection attack.
For instance, Tomcat will allow the following requests to continue when
allowHostHeaderMismatch="false"
// new hostname and default port number in host header
curl --request 'POST' \
--url 'http://myhostname.com:8143/api/v1/endpoint' \
--header 'Host: facebook.com'
// new hostname and new port number in host header
curl --request 'POST' \
--url 'http://myhostname.com:8143/api/v1/endpoint' \
--header 'Host: facebook.com:8000'
So, the API will get the injected Host header values during
httpRequest.getServerName() or httpRequest.getServerPort() methods where
httpRequest is an object from HttpServletRequest.
Could you please clarify if I am miss-understanding something? I did read that
telnet makes it work. However, I am puzzled that with the curl command it is
not.
Thanks,
Alvaro
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Bugzilla is NOT a support forum. Please do as you have been asked and post to
the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
--- Comment #4 from alvaro <al...@ibm.com> ---
Hi,
I have another question...if you don't mind.
So in this scenario, I have the request line using the absolute path with a
conflicting host header. The response is 400 bad request from Tomcat, which
makes sense.
telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: facebook.com
If I set a valid host header now, then I would expect this to pass, which is
does. So all is good.
telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: myhostname.company.com
telnet 1.1.1.1 8143
GET http://1.1.1.1/api/v1/endpoint HTTP/1.1
Host: 1.1.1.1
However, as soon as I define a port number in the host header then I get 400
bad requests.
telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: myhostname.company.com:8143
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 762
Date: Fri, 05 May 2023 15:27:09 GMT
Connection: close
<!doctype html><html lang="en"><head><title>HTTP Status 400 \u2013 Bad
Request</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
.line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 400 \u2013 Bad Request</h1><hr class="line" /><p><b>Type</b> Status
Report</p><p><b>Description</b> The server cannot or will not process the
request due to something that is perceived to be a client error (e.g.,
malformed request syntax, invalid request message framing, or deceptive request
routing).</p><hr class="line" /><h3>Apache Tomcat/9.0.73</h3></body></html>
This looks like it should work, but it is not. Thoughts?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
--- Comment #1 from Han Li <li...@apache.org> ---
> Could you please clarify if I am miss-understanding something?
Sure, If you read doc carefully, you will find which compare one host in
`request line
> I did read that telnet makes it work. However, I am puzzled that with the curl command
> it is not.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
--- Comment #3 from alvaro <al...@ibm.com> ---
thanks, this makes sense now.
cheers,
Alvaro
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
Han Li <li...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #2 from Han Li <li...@apache.org> ---
> Could you please clarify if I am miss-understanding something?
Sure, If you read doc carefully, you will find which describe that compare the
host in `request line` with the host in host header.
You can look at detail of request by using -v of curl command
* Connected to myhostname (127.0.0.1) port 8143 (#0)
> POST /api/v1/endpoint HTTP/1.1. <---- request line
> Host: facebook.com
> User-Agent: curl/7.79.1
> Accept: */*
PS: Bugzilla is not a support forum, if you have any question, you should post
content to user mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org