TYPO3 Core

Prerequisites:
- config.baseURL = 1
- Page is not cached yet or not cacheable

Description:
When an attacker sends a http-request with a tweaked "Host:"-header, it is possible to inject a foreign base-tag into the html-header of typo3 generated pages. So links to images, stylesheets or other pages can be redirected to a remote server.

When a http-request with a tweaked host-header is processed, the environment-variable "HTTP_HOST" contains the address that is mentioned in the malformed header. So baseURL is set to the host given in "HTTP_HOST" because the value is read directly from the environment of the webserver without further checks (class.t3lib_div.php, line 2725).

Workaround:
set config.baseURL to the server-name

I came over this because some script-kiddie in Korea scanned one of my webservers for open http-proxies. He tried URLs like "http://my.server.tld/http://his.server.ip" with a host-header set to his server-ip.

After this some of my typo3-sites with very low traffic (so that the caches were empty) refused to load there stylesheets. In fact they tried to read them from the server in Korea because the base-tag said so ...
I looked for the suspect IP in the http-logs of the server and found these requests. Then I tracked down the creation of the base-tag in the typo3-sources and came to the environment-variable "HTTP_HOST".
"HTTP_HOST" is set to the server the browser asked for in it's http-request ... voila.
(issue imported from #M1670)