ESET TYPO3 CMS HOst Header Vulnerability

Hello ,
fellas it was july when i saw a really good article on a vulnerability which was found in one of the ESET's Subdomain , i don't remember the website name on which the article was. So i thought why not try it out.

So i started finding subdomains of ESET and came Across this domain

"https://<subdomain>eset.com/ " which redirects me to https://<subdomain>.eset.com/int/

#I can't disclose the subdomain name

so now i got this page with following messages

 
The current host header value does not match the configured trusted hosts pattern! Check the pattern defined in $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] and adapt it, if you want to allow the current host header '<subdomain>.eset.com' for your installation.
 
at the first line it says
 
"You see this error, because the submitted HTTP host-header does not match the trustedHosts configuration. You may want to adjust the trusted host pattern, which is security mechanism to validate the HTTP host-header and prevent host spoofing."
so after doing some search i found its running on  TYPO3 CMS
reference :~ https://wiki.typo3.org/Exception/CMS/1396795884
 explained about the exception that raised on the host
  either this host hasn't been configured properly or has been using olderversion of TYPO3 CMS
 Now i came across the security advisory  page 
 
 
which clearly indicates 
Vulnerability Type: Host Spoofing
 
 
Problem Description: Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. A blog post describes this problem in great detail.
 
solution~
Solution: Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 and check or update your web server configuration as described below.

#NotE :~ as my email contains it self a detailed report so i copied most of the part in this article from my email report.

Status: resolved
Reward:~ Swag+Certificate from ESET


Hope you enjoyed reading it.

Comments

  1. Kindly share poc i am not able to understand this
    Naveenzoho1@gmail.com

    ReplyDelete

Post a Comment

Popular Posts