Headline
GHSA-c8rp-cgf4-937w: mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack
Impact
mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.
Patches
3.7.0, and 4.3.0 and later.
The patches present in these versions update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the trustReservedSubnet() constructor, ensuring that the request only honors the X-Forwarded-* headers for private reserved subnets.
Users can define the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.
Workarounds
Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in mezzio/mezzio-swoole
- Email us
Impact
mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.
Patches
3.7.0, and 4.3.0 and later.
The patches present in these versions update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the trustReservedSubnet() constructor, ensuring that the request only honors the X-Forwarded-* headers for private reserved subnets.
Users can define the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.
Workarounds
Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.
References
- HTTP Host Header Attacks
For more information
If you have any questions or comments about this advisory:
- Open an issue in mezzio/mezzio-swoole
- Email us
References
- GHSA-c8rp-cgf4-937w