Homestyx hydra
Diffusion hydra 38c83ef846c1

Defuse a "Host:" header attack
38c83ef846c1
Actions

Description

Defuse a "Host:" header attack

Summary:
Django released a security update recently dealing with malicious "Host" headers:

https://www.djangoproject.com/weblog/2012/oct/17/security/

We're vulnerable to the same attack. Plug the hole.

The risk here is that an attacker does something like this:

  1. Register "evil.com".
  2. Point it at secure.phabricator.com in DNS.
  3. Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com".
  4. They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize.
  5. The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request.

Test Plan: Unit tests.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Differential Revision: https://secure.phabricator.com/D3766

Details

Provenance
epriestleyAuthored on Oct 22 2012, 1:49 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:96b5d0e74a92: Generate Releeph GLYPHICON
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (2)

PathSize
src/
aphront/
__tests__/

R1:38c83ef846c1

View Options

src/aphront/AphrontRequest.php

Loading...
View Options

src/aphront/__tests__/AphrontRequestTestCase.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)