Host Header Injection- Type Setter CMS 5.1



By - Navina Asrani

Hi Readers,

Recently while performing some open source security assessment, I came across an CMS “ Typesetter” CMS. Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’. 
Title of the Vulnerability:  Host Header Injection.
Common Vulnerability Scoring System: 7.0
Vulnerability Class: Injection
Technical Details & Description: The application is configured to allow insecure host headers to be injected in request headers.

CVE ID allocated:  CVE-2018-6889

Product & Service Introduction: TypeSetter 5.1
Steps to Re-Produce –
1.       Visit the application
2.       Tamper the request and change the host to any arbitrary header like google.com
3.        The same is added in request and complete page re-direction takes place.
Exploitation Technique: A attacker can perform application modification to perform advanced attacks as as password reset/ cache poisoning etc.
Severity Level: High
Security Risk:
The presence of such a risk can lead to user cache poisoning and user re-direction
Exploit code:

GET / HTTP/1.1
Host: google.com

Affected Product Version: 5.1
Solution - Fix & Patch: The application code should be configured with to allow a whitelist of allowed hosts in source code.






Comments

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS

Stored XSS in Wonder CMS

WPA2 KRACK unleashed