Expand my Community achievements bar.

Missing Host Header Verification

Avatar

Level 3
Level 3
1/22/23 10:53:41 PM

Hi All,

 

This isssue is reported by the security team and they want us to fix this.

Please help me with the fix as i suspect we need to make changes on dispatcher leve.

How do we verify the Missing Host Header in aem 6.5.14

@arunpatidar ,please could you suggest on the fix.

 

Thanks,

Mahesh

Views

1.5K

Replies

9
Sign in to like this content

Total Likes

Translate
Translate
9 Replies

Avatar

Community Advisor
Community Advisor
1/22/23 11:28:16 PM

Hi @smahesh 

 

Can you provide more details on the issue?

 

Thanks,

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
1/22/23 11:54:34 PM
In response to ksh_ingole7

Hi @ksh_ingole7 ,

 

please find the details below:

 

It was observed that HTTP HOST header is missing verification when sending web requests. One can change the host header to access other virtual hosts on

the website such as api, solr, logs ,etc.

Affected Items

//stage-abc.com/

Observation

We observed that in the application an attacker could manually divert the code to produce the hacker’s desired output, simply by editing the host header.

Most probably web servers are configured to pass the host header to the first virtual host in the list without proper reorganisation. So It is possible to send the

HTTP requests with arbitrary host headers to the first virtual host.

As we can see it works good when the host is stage-abc.com

 

Thanks,

Mahesh

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/23/23 12:25:45 AM

Can you please share the headers mentioned in dispatcher config

 

# first farm entry (label is not important, just for your convenience)
   /website
     {
     /clientheaders
       {
       # List of headers that are passed on
       }
Himanshu Jain

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
1/23/23 5:18:38 AM
In response to Himanshu_Jain

Hi @Himanshu_Jain 

 

I am posting here the list of clientheaders as asked:

 

"X-Forwarded-Proto"
"X-Forwarded-SSL-Certificate"
"X-Forwarded-SSL-Client-Cert"
"X-Forwarded-SSL"
"X-Forwarded-Protocol"
"CSRF-Token"
"referer"
"user-agent"
"from"
"content-type"
"content-length"
"accept-charset"
"accept-encoding"
"accept-language"
"accept"
"host"
"if-match"
"if-none-match"
"if-range"
"if-unmodified-since"
"max-forwards"
"range"
"cookie"
"depth"
"translate"
"expires"
"date"
"if"
"lock-token"
"x-expected-entity-length"
"destination"
"Sling-uploadmode"
"x-requested-with"

 

Please inform what else i need to add to avoid this error of Missing Host Header Verification.

 

Thanks,

Mahesh

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/23/23 2:29:09 AM

Hi Smahesh,

 

Kindly update your site webserver configuration inside rewrite rules section of your site .conf file:

 

RewriteCond %{HTTP_HOST} !^stage-abc.com$

RewriteRule ^(.*)$ https://stage-abc.com [R=301, L]

 

Regards,

Peter

Views

1.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
1/23/23 5:12:59 AM
In response to Peter_Puzanovs

Hi @Peter_Puzanovs ,

 

Let me try the above rule, but please could you mention why this error is showing ?

 

Thanks,

Mahesh

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
1/24/23 2:01:40 AM
In response to Peter_Puzanovs

Hi @Peter_Puzanovs ,

 

I have a common rewrite file for all environment and if i add your rewrite rule for checking header then it is only for stage environment but what about dev/qa/production?

 

Thanks,

Mahesh 

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate