Missing Host Header Verification | Community
Skip to main content
S
smahesh
Level 3
January 23, 2023

Missing Host Header Verification

  • January 23, 2023
  • 5 replies
  • 2908 views

Hi All,

 

This isssue is reported by the security team and they want us to fix this.

Please help me with the fix as i suspect we need to make changes on dispatcher leve.

How do we verify the Missing Host Header in aem 6.5.14

@arunpatidar ,please could you suggest on the fix.

 

Thanks,

Mahesh

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

5 replies

ksh_ingole7
Community Advisor
ksh_ingole7Community Advisor
Community Advisor
January 23, 2023

Hi @smahesh 

 

Can you provide more details on the issue?

 

Thanks,

    S
    smaheshAuthor
    Level 3
    January 23, 2023

    Hi @ksh_ingole7 ,

     

    please find the details below:

     

    It was observed that HTTP HOST header is missing verification when sending web requests. One can change the host header to access other virtual hosts on

    the website such as api, solr, logs ,etc.

    Affected Items

    //stage-abc.com/

    Observation

    We observed that in the application an attacker could manually divert the code to produce the hacker’s desired output, simply by editing the host header.

    Most probably web servers are configured to pass the host header to the first virtual host in the list without proper reorganisation. So It is possible to send the

    HTTP requests with arbitrary host headers to the first virtual host.

    As we can see it works good when the host is stage-abc.com

     

    Thanks,

    Mahesh

      Himanshu_Jain
      Community Advisor
      Himanshu_JainCommunity Advisor
      Community Advisor
      January 23, 2023

      Can you please share the headers mentioned in dispatcher config

       

      # first farm entry (label is not important, just for your convenience)
   /website
     {
     /clientheaders
       {
       # List of headers that are passed on
       }
      Himanshu Jain
        S
        smaheshAuthor
        Level 3
        January 23, 2023

        Hi @himanshu_jain 

         

        I am posting here the list of clientheaders as asked:

         

        "X-Forwarded-Proto"
        "X-Forwarded-SSL-Certificate"
        "X-Forwarded-SSL-Client-Cert"
        "X-Forwarded-SSL"
        "X-Forwarded-Protocol"
        "CSRF-Token"
        "referer"
        "user-agent"
        "from"
        "content-type"
        "content-length"
        "accept-charset"
        "accept-encoding"
        "accept-language"
        "accept"
        "host"
        "if-match"
        "if-none-match"
        "if-range"
        "if-unmodified-since"
        "max-forwards"
        "range"
        "cookie"
        "depth"
        "translate"
        "expires"
        "date"
        "if"
        "lock-token"
        "x-expected-entity-length"
        "destination"
        "Sling-uploadmode"
        "x-requested-with"

         

        Please inform what else i need to add to avoid this error of Missing Host Header Verification.

         

        Thanks,

        Mahesh

          Peter_Puzanovs
          Community Advisor
          Peter_PuzanovsCommunity Advisor
          Community Advisor
          January 23, 2023

          Hi Smahesh,

           

          Kindly update your site webserver configuration inside rewrite rules section of your site .conf file:

           

          RewriteCond %{HTTP_HOST} !^stage-abc.com$

          RewriteRule ^(.*)$ https://stage-abc.com [R=301, L]

           

          Regards,

          Peter

            S
            smaheshAuthor
            Level 3
            January 23, 2023

            Hi @peter_puzanovs ,

             

            Let me try the above rule, but please could you mention why this error is showing ?

             

            Thanks,

            Mahesh

              Himanshu_Jain
              Community Advisor
              Himanshu_JainCommunity Advisor
              Community Advisor
              January 24, 2023

              Refer https://www.albinsblog.com/2020/10/most-important-security-headers-for-websites.html#.Y89ld3ZBy5c

               

              Himanshu Jain
                Terms & ConditionsAccessibility statement

                Loading footer...