Headline
GHSA-25gq-jvx2-vg9x: Silverstripe X-Forwarded-Host request hostname injection
A potential hostname injection vulnerability has been found which could allow attackers to alter url resolution.
If a request contains the X-Forwarded-Host HTTP header a website would then use its value in place of the actual HTTP hostname. In cases where caching is enabled, this could allow an attacker to potentially embed a remote url as the base_url for any site. This would then cause other visitors to the site to be redirected unknowingly.
This header is necessary for servers running behind a reverse proxy (such as nginx). Such servers are likely not vulnerable to this risk.
A fix has been merged into the default installer, although existing projects which do not run behind a reverse proxy should update their htaccess as below:
<IfModule mod_headers.c>
# Remove X-Forwarded-Host header sent as a part of any request from the web
RequestHeader unset X-Forwarded-Host
</IfModule>
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-25gq-jvx2-vg9x
Silverstripe X-Forwarded-Host request hostname injection
High severity GitHub Reviewed Published May 23, 2024 to the GitHub Advisory Database • Updated May 23, 2024
Package
composer silverstripe/framework (Composer)
Affected versions
>= 3.1.0, < 3.1.13
A potential hostname injection vulnerability has been found which could allow attackers to alter url resolution.
If a request contains the X-Forwarded-Host HTTP header a website would then use its value in place of the actual HTTP hostname. In cases where caching is enabled, this could allow an attacker to potentially embed a remote url as the base_url for any site. This would then cause other visitors to the site to be redirected unknowingly.
This header is necessary for servers running behind a reverse proxy (such as nginx). Such servers are likely not vulnerable to this risk.
A fix has been merged into the default installer, although existing projects which do not run behind a reverse proxy should update their htaccess as below:
<IfModule mod_headers.c>
# Remove X-Forwarded-Host header sent as a part of any request from the web
RequestHeader unset X-Forwarded-Host
</IfModule>
References
- silverstripe/silverstripe-framework@75137db
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-013-1.yaml
- https://www.silverstripe.org/software/download/security-releases/ss-2015-013
Published to the GitHub Advisory Database
May 23, 2024
Last updated
May 23, 2024