Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8274-h5jp-97vr: Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack

Impact

Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.

Patches

Any version after 2.11.0.

Starting in laminas/laminas-diactoros 2.11.1, we have added Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface, which defines the single method __invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface. Filters implementing this interface allow modifying and returning a generated ServerRequest.

The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as X-Forwarded-Host. When operating behind a reverse proxy, the Host header is often rewritten to the name of the node to which the request is being forwarded, and an X-Forwarded-Host header is generated with the original Host value to allow the server to determine the original host the request was intended for. (We have always examined the X-Forwarded-Proto header; as of Diactoros 2.11.1, we also examine the X-Forwarded-Port header.) To accommodate this use case, we created Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders.

Due to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request. (This value is found in $_SERVER['REMOTE_ADDR'], which is present as $request->getServerParams()['REMOTE_ADDR'] within PSR-7 implementations.) FilterUsingXForwardedHeaders provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted.

Laminas\Diactoros\ServerRequestFactory::fromGlobals() was updated to accept a FilterServerRequestInterface as an additional, optional argument. Since the X-Forwarded-* headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance via FilterUsingXForwardedHeaders::trustReservedSubnets(), which generates an instance marked to trust only proxies on private subnets.

Workarounds

Infrastructure or DevOps can configure web servers to reject X-Forwarded-* headers at the web server level.

Users of laminas/laminas-diactoros can make use of the Laminas\Diactoros\RequestFilter\RequestFilterInterface functionality in order to either (a) disable usage of the X-Forwarded-* headers entirely, (b) opt-in to it, or © opt-in to the usage for configured proxy servers.

References

For more information

If you have any questions or comments about this advisory:

ghsa
#xss#web#git

Impact

Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.

Patches

Any version after 2.11.0.

Starting in laminas/laminas-diactoros 2.11.1, we have added Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface, which defines the single method __invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface. Filters implementing this interface allow modifying and returning a generated ServerRequest.

The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as X-Forwarded-Host. When operating behind a reverse proxy, the Host header is often rewritten to the name of the node to which the request is being forwarded, and an X-Forwarded-Host header is generated with the original Host value to allow the server to determine the original host the request was intended for. (We have always examined the X-Forwarded-Proto header; as of Diactoros 2.11.1, we also examine the X-Forwarded-Port header.) To accommodate this use case, we created Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders.

Due to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request.
(This value is found in $_SERVER[‘REMOTE_ADDR’], which is present as $request->getServerParams()[‘REMOTE_ADDR’] within PSR-7 implementations.) FilterUsingXForwardedHeaders provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted.

Laminas\Diactoros\ServerRequestFactory::fromGlobals() was updated to accept a FilterServerRequestInterface as an additional, optional argument. Since the X-Forwarded-* headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance via FilterUsingXForwardedHeaders::trustReservedSubnets(), which generates an instance marked to trust only proxies on private subnets.

Workarounds

Infrastructure or DevOps can configure web servers to reject X-Forwarded-* headers at the web server level.

Users of laminas/laminas-diactoros can make use of the Laminas\Diactoros\RequestFilter\RequestFilterInterface functionality in order to either (a) disable usage of the X-Forwarded-* headers entirely, (b) opt-in to it, or © opt-in to the usage for configured proxy servers.

References

  • HTTP Host Header Attacks

For more information

If you have any questions or comments about this advisory:

  • Open an issue in laminas/laminas-diactoros
  • Email us

References

  • GHSA-8274-h5jp-97vr
  • laminas/laminas-diactoros@25b11d4
  • https://github.com/laminas/laminas-diactoros/releases/tag/2.11.1

Related news

CVE-2022-31109: Merge pull request from GHSA-8274-h5jp-97vr · laminas/laminas-diactoros@25b11d4

laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, the library offers mitigation measures only in the v2 releases, as doing otherwise would break these use cases immediately. Users of v2 releases from 2.11.1 can provide an additional argument to `Laminas\Diactoros\ServerRequestFactory::fromGlobals()` in the form of a `Laminas\Diactoros\RequestFilter\RequestFilterInter...