You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/05/04 22:00:16 UTC

[Bug 66593] New: Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks

https://bz.apache.org/bugzilla/show_bug.cgi?id=66593

            Bug ID: 66593
           Summary: Connector attribute allowHostHeaderMismatch=false
                    fails to reject host header injection attacks
           Product: Tomcat 9
           Version: 9.0.73
          Hardware: PC
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: alvaro.garay@ibm.com
  Target Milestone: -----

Hi,

It appears Tomcat Connector layer is not protecting the API from host header
injection attack. 

For instance, Tomcat will allow the following requests to continue when
allowHostHeaderMismatch="false"

// new hostname and default port number in host header
curl --request 'POST' \
     --url 'http://myhostname.com:8143/api/v1/endpoint' \
     --header 'Host: facebook.com'

// new hostname and new port number in host header
curl --request 'POST' \
     --url 'http://myhostname.com:8143/api/v1/endpoint' \
     --header 'Host: facebook.com:8000'


So, the API will get the injected Host header values during
httpRequest.getServerName() or httpRequest.getServerPort() methods where
httpRequest is an object from HttpServletRequest.

Could you please clarify if I am miss-understanding something? I did read that
telnet makes it work. However, I am puzzled that with the curl command it is
not.

Thanks,
Alvaro

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66593

--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Bugzilla is NOT a support forum. Please do as you have been asked and post to
the users mailing list.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66593

--- Comment #4 from alvaro <al...@ibm.com> ---
Hi,

I have another question...if you don't mind.

So in this scenario, I have the request line using the absolute path with a
conflicting host header. The response is 400 bad request from Tomcat, which
makes sense.

telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: facebook.com


If I set a valid host header now, then I would expect this to pass, which is
does. So all is good.

telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: myhostname.company.com

telnet 1.1.1.1 8143
GET http://1.1.1.1/api/v1/endpoint HTTP/1.1
Host: 1.1.1.1

However, as soon as I define a port number in the host header then I get 400
bad requests.

telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: myhostname.company.com:8143

HTTP/1.1 400 
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 762
Date: Fri, 05 May 2023 15:27:09 GMT
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 400 \u2013 Bad
Request</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
.line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 400 \u2013 Bad Request</h1><hr class="line" /><p><b>Type</b> Status
Report</p><p><b>Description</b> The server cannot or will not process the
request due to something that is perceived to be a client error (e.g.,
malformed request syntax, invalid request message framing, or deceptive request
routing).</p><hr class="line" /><h3>Apache Tomcat/9.0.73</h3></body></html>

This looks like it should work, but it is not. Thoughts?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66593

--- Comment #1 from Han Li <li...@apache.org> ---
> Could you please clarify if I am miss-understanding something? 
Sure, If you read doc carefully, you will find which compare one host in
`request line
> I did read that telnet makes it work. However, I am puzzled that with the curl command
> it is not.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66593

--- Comment #3 from alvaro <al...@ibm.com> ---
thanks, this makes sense now. 

cheers,
Alvaro

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66593] Connector attribute allowHostHeaderMismatch=false fails to reject host header injection attacks

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66593

Han Li <li...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #2 from Han Li <li...@apache.org> ---
> Could you please clarify if I am miss-understanding something? 

Sure, If you read doc carefully, you will find which describe that compare the
host in `request line` with the host in host header.

You can look at detail of request by using -v of curl command

* Connected to myhostname (127.0.0.1) port 8143 (#0)
> POST /api/v1/endpoint HTTP/1.1.   <---- request line
> Host: facebook.com
> User-Agent: curl/7.79.1
> Accept: */*

PS: Bugzilla is not a support forum, if you have any question, you should post
content to user mailing list.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org