https://bz.apache.org/bugzilla/show_bug.cgi?id=66593
Bug ID: 66593
Summary: Connector attribute allowHostHeaderMismatch=false
fails to reject host header injection attacks
Product: Tomcat 9
Version: 9.0.73
Hardware: PC
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: alvaro.ga...@ibm.com
Target Milestone: -----
Hi,
It appears Tomcat Connector layer is not protecting the API from host header
injection attack.
For instance, Tomcat will allow the following requests to continue when
allowHostHeaderMismatch="false"
// new hostname and default port number in host header
curl --request 'POST' \
--url 'http://myhostname.com:8143/api/v1/endpoint' \
--header 'Host: facebook.com'
// new hostname and new port number in host header
curl --request 'POST' \
--url 'http://myhostname.com:8143/api/v1/endpoint' \
--header 'Host: facebook.com:8000'
So, the API will get the injected Host header values during
httpRequest.getServerName() or httpRequest.getServerPort() methods where
httpRequest is an object from HttpServletRequest.
Could you please clarify if I am miss-understanding something? I did read that
telnet makes it work. However, I am puzzled that with the curl command it is
not.
Thanks,
Alvaro
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
