New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for limiting allowed hosts #7649
Comments
|
@bozana, would you mind reviewing this before I port to the other apps and older branches? Thanks! |
|
Just want to add that this will also mitigate XSS vulnerabilities, thank you for moving quickly on it! |
#7649 Add support for allowed_hosts limits to avoid HOST header injection
pkp/pkp-lib#7649 Add support for allowed_hosts limits to avoid HOST header injection
#7649 Add support for allowed_hosts limits to avoid HOST header injection
pkp/pkp-lib#7649 Add support for allowed_hosts limits to avoid HOST header injection
|
Hi everyone, Now that we've gone through and patched all of our own installations I wanted to share the patches we used, based off of @asmecher's work above. For some of those there was a discrepancy in older versions of OJS3 where you'd get a fatal error about not being able to pass by reference. The patch for 3.2 also removes the bits that attempt to patch the readme file that isn't in 3.1. The original patch for 3.3 works perfectly. OJS OMP 3.2.1 and 3.2.0: ojs-3.2.1-4.diff.txt |
Description of problem
OJS/OMP/OPS currently uses the
HTTP_HOST,SERVER_NAME, andHTTP_X_FORWARDED_HOSTheaders to detect the current hostname for formulating absolute URLs.Per https://portswigger.net/web-security/host-header, these headers may be user-controlled and thus not trustworthy. This could be used to e.g. send password reset emails with poisoned links that direct the user to a 3rd-party site, where the reset hash can be captured. (We are not currently aware of another possible abuse via this mechanism.)
Thanks to Hemant Kashyap for reporting the issue.
Solution
The changes described here add support for a list of allowed host names to be provided in the config.inc.php configuration file. User-supplied values are checked against this list and only one of the listed values will be allowed.
Affected versions
This issue affects all releases of OJS, OMP, and OPS versions 3.3.0-8 and older.
How to resolve the issue
allowed_hostssetting. This can be done by any of the following...stable-3_3_0orstable-3_2_1branches, orallowed_hostssetting to thegeneralsection of yourconfig.inc.phpconfiguration file. Here is the description/example fromconfig.TEMPLATE.inc.php:allowed_hosts. Attempting to load a page from the software should result in a400 Bad Requesterror page.Commits/pull requests
(This is for tracking development work on the issue; you likely don't need to know this.)
PRs/commits:
main:stable-3_3_0:stable-3_2_1:The text was updated successfully, but these errors were encountered: