httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jdrnb00...@yahoo.com
Subject [users@httpd] Reject request with incorrect HOST header...
Date Tue, 09 Sep 2008 04:11:24 GMT
Hello, 

Have come across a security issue and one of the reason is Apache allowing serving of request
with incorrect HOST header.

Question in short:

Is there an Apache Directive which will reject request with incorrect or missing HOST header
?  I mean if my Apache is serving one.xyz.com, reject all request coming to that IP address
and port using any other hostname. Meaning reject 1.xyz.com or one.abc.com or 2.xyz.com or
two.xyz.com.

And second, why would Apache allow that in the first place, especially if we are not using
NameBased VHosting.

----------------------------------------------------------------------------------------------------------------------------------------
Details:

Let say, I have a few IP based VHOSTs proxying content from the backend.

<VirtualHost 111.22.33.44:80>
#No Forward Proxy
ProxyRequest Off

# server One
ServerName one.xyz.com
ProxyPass /all        http://backend.com/all
ProxyPassReverse /all     http://backend.com/all
...
</VirtualHost>

We have a gate-keeper which checks incoming request for one.xyz.com domain name and prompts
them for Authentication.

Now, if I make a host file change on my local  (client) computer such that
111.22.33.44    www.hack.com

And then if I point my browser to www.hack.com/all, I am in w/o any challenge.  Apache ignores
the HOST header and the gate-keeper lets it go as it is only protecting one.xyz.com.

Well, we had patched the GateKeeper for the above problem few years back, but today a similar
issue has come to our notice where by a hacker can point to one of our server IP address as
a Proxy Server address in their browser. Once again Apache simply ignored the HOST header
in the request and this time, it  confused the gate-keeper s/w too and let the request through
w/o Authentication.

I want to keep this post simple and hence skip the details, I know we have a problem with
the gate-keeper s/w and will open up a case with them, but wished there was a Apache directive
which would simply reject Requests with non-matching HOST.

Thank you
-j

Mime
View raw message