Headline
GHSA-vg46-2rrj-3647: Twisted vulnerable to NameVirtualHost Host header injection
When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
Example configuration:
from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor
resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()
Output:
❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/
<html>
<head><title>404 - No Such Resource</title></head>
<body>
<h1>No Such Resource</h1>
<p>host b'<h1>hello there</h1>' not in vhost map</p>
</body>
</html>
This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.
When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
Example configuration:
from twisted.web.server import Site from twisted.web.vhost import NameVirtualHost from twisted.internet import reactor
resource = NameVirtualHost() site = Site(resource) reactor.listenTCP(8080, site) reactor.run()
Output:
❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/
<html>
<head><title>404 - No Such Resource</title></head>
<body>
<h1>No Such Resource</h1>
<p>host b'<h1>hello there</h1>' not in vhost map</p>
</body>
</html>
This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.
References
- GHSA-vg46-2rrj-3647
- twisted/twisted@f2f5e81
- twisted/twisted@f49041b
Related news
Ubuntu Security Notice 6575-1 - It was discovered that Twisted incorrectly escaped host headers in certain 404 responses. A remote attacker could possibly use this issue to perform HTML and script injection attacks. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay responses and manipulate the responses of second requests.
Gentoo Linux Security Advisory 202301-2 - Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service. Versions less than 22.10.0 are affected.
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.