View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026434 | mantisbt | security | public | 2019-12-05 14:14 | 2024-02-14 17:16 |
Reporter | jingshaochen | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Product Version | 2.22.1 | ||||
Summary | 0026434: Use of _SERVER['HTTP_HOST'], _SERVER['SERVER_NAME'], and _SERVER['HTTP_X_FORWARDED_HOST'] should be avoided | ||||
Description | HTTP_HOST, HTTP_X_FORWARDED_HOST, and SERVER_NAME can be easily spoofed by inserting a Host header from the client side. Mantis uses that as the server hostname to construct every link. The using of those variables are integrated in Details on the vulnerability can be found here: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html | ||||
Tags | No tags attached. | ||||
Any update? |
|
Hello, sorry about the delay in responding. After analysis, this is definitely a duplicate of previously reported issue 0019381 so I'm going to close this one. FYI, I have opened a GitHub Security Advisory and requested a CVE ID for this. Working on a patch, will let you know when ready so you can review and test. I have credited you as reporter with your GitHub account (shaozi) - let me know if that's not the right one. |
|