Host Header Injection- Type Setter CMS 5.1
By - Navina Asrani
Recently while performing some open source security assessment, I came across an CMS “ Typesetter” CMS. Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’.
Title of the Vulnerability: Host Header Injection.
Common Vulnerability Scoring System: 7.0
Vulnerability Class: Injection
Technical Details & Description: The application is configured to allow insecure host headers to be injected in request headers.
CVE ID allocated: CVE-2018-6889
Product & Service Introduction: TypeSetter 5.1
Steps to Re-Produce –
1. Visit the application
2. Tamper the request and change the host to any arbitrary header like google.com
3. The same is added in request and complete page re-direction takes place.
Exploitation Technique: A attacker can perform application modification to perform advanced attacks as as password reset/ cache poisoning etc.
Severity Level: High
The presence of such a risk can lead to user cache poisoning and user re-direction
GET / HTTP/1.1
Affected Product Version: 5.1
Solution - Fix & Patch: The application code should be configured with to allow a whitelist of allowed hosts in source code.