search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
39.29k stars 10.07k forks source link

Host Header Injection #32695

Open irfanasyraf opened 5 days ago

irfanasyraf commented 5 days ago

Description:

Make a request directly to the following host via HTTP (Port 80) with an arbitrary domain in the "Host" header.

e.g. curl -v -k "Host: test123.com" https://"rocketchat domain"

Observe the redirect to the inserted domain.

Expected behavior:

The redirect should not happen based on the "Host" header value and it should be rejected.

The web application profile is specifically bound to the correct host name to ensure that arbitrary host names sent to the web server will not reach the application. When validating the host headers, a whitelist approach where only allowed domains are declared should be preferred over a blacklist.

Actual behavior:

It was observed that the user is redirected based on the "Host" header value

Server Setup Information:

reetp commented 5 days ago

Thanks for your observation.

I will ask for someone to review this.

debdutdeb commented 5 days ago

Can you clarify what you mean?

Redirect here should/is handled by webserver in front, not Rocket.Chat itself.

irfanasyraf commented 5 days ago

Hi team,

My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.

I was just wondering if there is any such feature where I can just 'whitelist' my rocketchat domain from rocketchat settings itself when a host header injection is being done.

Thank you and appreciate the help!

reetp commented 4 days ago

For reference this was your post on forums:

https://forums.rocket.chat/t/edit-content-security-policy/20212

From this post I note that your server is air gapped as well?

https://forums.rocket.chat/t/disable-concurrent-login/20208

This sort of information is really important.

My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.

I'm wondering if this is more to do with your own setup than it is to do with Rocket.