Task #99347: Add HTTP host header injection check to reports module - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Task #99347

closed

Add HTTP host header injection check to reports module

Added by Oliver Hader almost 2 years ago. Updated almost 2 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Oliver Hader

Category:

Security

Target version:

Start date:

2022-12-12

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Sprint Focus:

Description

In case the web server scenario is not properly configured to deny
HTTP host header injection, and the trustedHostsPattern is not explic
enough, an corresponding check in the reports module will issue
an error message like

HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org"
SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org"

Using the configuration directive UseCanonicalName On for Apache
web server environments mitigates the risk.

This is related to a side note in https://typo3.org/security/advisory/typo3-core-sa-2014-001
which introduced the trustedHostsPattern configuration.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Task #99347

Add HTTP host header injection check to reports module

Updated by Oliver Hader almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Oliver Hader almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Gerrit Code Review almost 2 years ago

Updated by Oliver Hader almost 2 years ago

Updated by Benni Mack almost 2 years ago