Project

General

Profile

Actions

Bug #15107

closed

config.baseURL exploitable through malformed http-header

Added by Roland Behme about 19 years ago. Updated over 18 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2005-10-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.8.0
PHP Version:
4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Prerequisites:
- config.baseURL = 1
- Page is not cached yet or not cacheable

Description:
When an attacker sends a http-request with a tweaked "Host:"-header, it is possible to inject a foreign base-tag into the html-header of typo3 generated pages. So links to images, stylesheets or other pages can be redirected to a remote server.

When a http-request with a tweaked host-header is processed, the environment-variable "HTTP_HOST" contains the address that is mentioned in the malformed header. So baseURL is set to the host given in "HTTP_HOST" because the value is read directly from the environment of the webserver without further checks (class.t3lib_div.php, line 2725).

Workaround:
set config.baseURL to the server-name

I came over this because some script-kiddie in Korea scanned one of my webservers for open http-proxies. He tried URLs like "http://my.server.tld/http://his.server.ip" with a host-header set to his server-ip.

After this some of my typo3-sites with very low traffic (so that the caches were empty) refused to load there stylesheets. In fact they tried to read them from the server in Korea because the base-tag said so ...
I looked for the suspect IP in the http-logs of the server and found these requests. Then I tracked down the creation of the base-tag in the typo3-sources and came to the environment-variable "HTTP_HOST".
"HTTP_HOST" is set to the server the browser asked for in it's http-request ... voila.
(issue imported from #M1670)

Actions #1

Updated by Roland Behme almost 19 years ago

This issue was fixed in 3.8.1. Thanks, folks!

Actions #2

Updated by Sebastian Kurfuerst almost 19 years ago

fixed in 3.8.1

Actions

Also available in: Atom PDF