0026434: Use of _SERVER['HTTP_HOST'], _SERVER['SERVER_NAME'], and _SERVER['HTTP_X_FORWARDED_HOST'] should be avoided - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0026434	mantisbt	security	public	2019-12-05 14:14	2024-02-14 17:16

Reporter	jingshaochen	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate
Product Version	2.22.1

Summary	0026434: Use of _SERVER['HTTP_HOST'], _SERVER['SERVER_NAME'], and _SERVER['HTTP_X_FORWARDED_HOST'] should be avoided
Description	HTTP_HOST, HTTP_X_FORWARDED_HOST, and SERVER_NAME can be easily spoofed by inserting a Host header from the client side. Mantis uses that as the server hostname to construct every link. The using of those variables are integrated in `$g_path` in the `config_defaults_inc.php` file. Details on the vulnerability can be found here: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Tags	No tags attached.

jingshaochen 2019-12-13 15:36 reporter ~0063278	Any update?

dregad 2024-01-28 19:34 developer ~0068480	Hello, sorry about the delay in responding. After analysis, this is definitely a duplicate of previously reported issue 0019381 so I'm going to close this one. FYI, I have opened a GitHub Security Advisory and requested a CVE ID for this. Working on a patch, will let you know when ready so you can review and test. I have credited you as reporter with your GitHub account (shaozi) - let me know if that's not the right one.