Bug #30377

Cache poisoning through http(s) enforcement feature

Added by Helmut Hummel about 9 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Must have
Category:
-
Target version:
-
Start date:
2011-09-28
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When requesting a site with another hostname (set to the same IP) and IP based hosting is used, then all links that are enforced to use a different scheme will take this (forged) hostname into account.


Related issues

Related to TYPO3 Core - Bug #20381: Shortcut icon maps to wrong URLClosed2009-04-30

Actions
Related to CloudFlare Client - Bug #59021: Flexible SSL is not supported anymore and crashes with 1396795884ClosedXavier Perseguers2014-05-22

Actions
Precedes TYPO3 Core - Feature #59355: make trustedHostsPattern use sys_domain recordsRejected2014-06-05

Actions
#1

Updated by Christian Kuhn about 9 years ago

This is related to the 'shortcut-icon' problem in #20381 and boils down to the fact that we do not have an API in FE to determine a valid domain name.

We have ideas to make for example 'domain records' required somehow, but we must tackle possible server scenarios carefully.

#2

Updated by Marcus Krause over 8 years ago

  • OTRS-Sec Ticket-ID set to 2012030810000055

Our team has received a report on Mar 8, 2012 which is most probably describing this issue. (@see OTRS-Sec Ticket-ID)

#3

Updated by Steffen Ritter over 8 years ago

  • Status changed from New to Under Review
#4

Updated by Steffen Ritter over 8 years ago

  • Assignee set to Steffen Ritter
#5

Updated by Gerrit Code Review over 8 years ago

Patch set 2 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13100

#6

Updated by Gerrit Code Review over 8 years ago

Patch set 3 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13100

#7

Updated by Gerrit Code Review over 8 years ago

Patch set 4 for branch master_new has been pushed to the review server.
It is available at http://review.typo3.org/13100

#8

Updated by Christian Kuhn almost 7 years ago

This is related to the 'shortcut-icon' problem in #20381.

Main issue is that _SERVER['HTTP_HOST'] can not be trusted, see

http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released

Domain records can not be used as they are restricted to FE, but we must fix this issue in BE and install tool, too.

Discussion during security sprint hh 2013:

We will implement a new config LocalConfiguration ['SYS']['TRUSTED_HOSTS'] parameter (possible regex), that can be set and is used in GeneralUtility::getIndpEnv() (main patch). Default is a "catch-all".

We should push information about this attack vector into the wild.

In the public there should follow further patches to add wizards/install-procedures/report-module/tce-main-domain-record-hooks/more. Their goal is to make the administration of this parameter as convenient as possible.

#9

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#10

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#11

Updated by Gerrit Code Review over 6 years ago

Patch set 3 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#12

Updated by Gerrit Code Review over 6 years ago

Patch set 4 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#13

Updated by Gerrit Code Review over 6 years ago

Patch set 5 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#14

Updated by Gerrit Code Review over 6 years ago

Patch set 6 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#15

Updated by Gerrit Code Review over 6 years ago

Patch set 7 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#16

Updated by Gerrit Code Review over 6 years ago

Patch set 8 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#17

Updated by Gerrit Code Review over 6 years ago

Patch set 9 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#18

Updated by Gerrit Code Review over 6 years ago

Patch set 10 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#19

Updated by Gerrit Code Review over 6 years ago

Patch set 11 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#20

Updated by Gerrit Code Review over 6 years ago

Patch set 12 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#21

Updated by Gerrit Code Review over 6 years ago

Patch set 13 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#22

Updated by Gerrit Code Review over 6 years ago

Patch set 14 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#23

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_6-1 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30206

#24

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_6-0 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30207

#25

Updated by Gerrit Code Review over 6 years ago

Patch set 15 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#26

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch TYPO3_6-0 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30207

#27

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch TYPO3_6-1 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30206

#28

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_4-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30211

#29

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_4-5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30213

#30

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch TYPO3_4-5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30213

#31

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch TYPO3_4-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/30211

#32

Updated by Gerrit Code Review over 6 years ago

Patch set 16 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/25801

#33

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_4-5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30275

#34

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_4-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30283

#35

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_6-0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30291

#36

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30299

#37

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30307

#38

Updated by Helmut Hummel over 6 years ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (T3-04: Cache poisoning)
#39

Updated by Helmut Hummel over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#40

Updated by Benni Mack about 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF