Closed Topsec-bunney closed 2 years ago
mark0263
commented
2 years ago Is there a proof of concept that shows how this can be exploited? I don't disagree with validating the Host (and X-Forwarded-Host) with some type of whitelist. Looking thru the glFusion code, glFusion does not rely on or user the Host header. Is this more of a web server concern?
Topsec-bunney
commented
2 years ago This problem can be solved through the web server, but because the website uses many absolute paths, this is also one of the unsafe factors. If you fix it, you can change the absolute path of the website to a relative path, which is safer.
walterrowe
commented
2 years ago I have always disliked having absolute paths. It makes it more difficult to move sites from one host to another, or clone a production site to a test environment. Relative paths would be a welcome improvement.
Walter
On Dec 8, 2021, at 8:59 AM, Topsec_bunney @.***> wrote:
This problem can be solved through the web server, but because the website uses many absolute paths, this is also one of the unsafe factors. If you fix it, you can change the absolute path of the website to a relative path, which is safer.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
leegarner
commented
2 years ago It wouldn't hurt to validate the host header, I'm not sure if it would hurt anything since everything gets redirected to site_url or site_admin_url anyway. Normally spoofing a host header will simply allow you to load a virtual host by curling the IP address
The "absolute" path is determined by the web server config. Normally you'd have a directive setting the document root to, in your case,
mark0263
commented
2 years ago Closing as this is a web server configuration concern
After modifying the host value, you can still request to the website. This can easily lead to Man-in-the-MiddleAttack