Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY-20] Prevent XSS by cache poisoning via Host header #13426

Merged
merged 1 commit into from Apr 18, 2017

Conversation

opengeek
Copy link
Member

What does it do?

Prevents cache poisoning via Host header which can lead to XSS vulnerabilities.

Why is it needed?

This issue was reported in a recent security issue.

Related issue(s)/PR(s)

N/A

@opengeek opengeek added area-security bug The issue in the code or project, which should be addressed. labels Apr 18, 2017
@opengeek opengeek added this to the 2.5.7 milestone Apr 18, 2017
@opengeek opengeek merged commit 47b5467 into modxcms:2.5.x Apr 18, 2017
@AgelxNash
Copy link
Contributor

Related issue(s)/PR(s)
N/A

You were informed in 2014. But it was ignored
https://web.archive.org/web/20140630052505/http://blog.agel-nash.ru:80/2014/3/http_host.html
https://www.youtube.com/watch?v=7qKuMloGBQI

@mrhaw
Copy link
Contributor

mrhaw commented Sep 9, 2017

This is a post from 7 years ago: https://forums.modx.com/thread/12961/site-url---drawing-out-incorrect-site-url#dis-post-72239

It's always been recommended to never use site_url tag cached. The youtube video is a good demo of why.

@opengeek opengeek deleted the prevent-host-cache-poisoning branch December 17, 2019 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-security bug The issue in the code or project, which should be addressed.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants