search

cachethq / cachet

🚦 The open-source status page system.
https://cachethq.io
MIT License
13.79k stars 1.55k forks source link

X-Forwarded-Host header spoofing is possible, resulting in the error page linking users to the content of the spoofed header. #4236

Closed pedramjm closed 11 months ago

pedramjm commented 3 years ago

Summary When a GET request with the inserted/spoofed header value X-Forwarded-Host: arbitrary-url.com is sent to the following endpoint, the home page link <a href>'s to the content of the X-Forwarded-Host value.

https://dev.cachethq.io/non-existent-path i.e. https://dev.cachethq.io/asdfasdf

This affects the error 404 page and seems to be caused by whatever is generating the $home_url value:

vendor/graham-campbell/exceptions/resources/error.html:     Perhaps you would like to go to our <a href="{{ $home_url }}">home page</a>?
vendor/graham-campbell/exceptions/src/Displayers/HtmlDisplayer.php:     $info['home_url'] = $generator('/');

Example request

GET /asdfasdf HTTP/1.1
Host: dev.cachethq.io
User-Agent: testing
X-Forwarded-Host: evil.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

image

Steps to reproduce

  1. Intercept a GET request to https://dev.cachethq.io/asdfasdf, using software such as Burp Suite or Postman
  2. Insert the header X-Forwarded-Host: evil.com
  3. Forward the request
  4. Hover over the home page link on the displayed page
  5. Observe the https://evil.com in the bottom of the page
welcome[bot] commented 3 years ago

:wave: Thank you for opening your first issue. I'm just an automated bot that's here to help you get the information you need quicker, so please ignore this message if it doesn't apply to your issue. If you're looking for support, you should try the Slack group by registering your email address at https://cachethq-slack.herokuapp.com. Alternatively, email support@alt-three.com for our Professional support service (please note, this a paid service.) If you're issue is with documentation, you can suggest edits by clicking the Suggest Edits link on any page, or open an issue at https://github.com/CachetHQ/Docs

jbrooksuk commented 11 months ago

Thank you for your input on Cachet 2.x. We are shifting our attention and resources to Cachet 3.x and will no longer be supporting the 2.x version. If your feedback or issue is relevant to the 3.x series, we encourage you to engage with the new branch.

For more information on the Cachet rebuild and our plans for 3.x, you can read the announcement here.

We appreciate your understanding and look forward to your contributions to the new version.