"enable host header validation" security feature for web interace can be bypassed by accessing via IP address instead of hostname #15390
Unanswered
catharsis71
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The "enable host header validation" option for the web interface is appreciated and useful however it appears it can be trivially bypassed.
If you access the web interface by IP address without using a hostname, it appears to defeat the validation and allow direct access.
For example, if "enable host header validation" is set to https://hostname1.example.com:65533/, then trying to access it via https://hostname2.example.com:65533/ will be blocked as expected, but if you use https://[IP_ADDRESS_HERE]:65533/ access will be allowed
I've only tested this with IPV6 so I'm not certain if it happens with IPV4 as well; I'm not able to test it via IPV4 at this time.
Beta Was this translation helpful? Give feedback.
All reactions