Silverstripe X-Forwarded-Host request hostname injection

A potential hostname injection vulnerability has been found which could allow attackers to alter url resolution.

If a request contains the X-Forwarded-Host HTTP header a website would then use its value in place of the actual HTTP hostname. In cases where caching is enabled, this could allow an attacker to potentially embed a remote url as the base_url for any site. This would then cause other visitors to the site to be redirected unknowingly.

This header is necessary for servers running behind a reverse proxy (such as nginx). Such servers are likely not vulnerable to this risk.

A fix has been merged into the default installer, although existing projects which do not run behind a reverse proxy should update their htaccess as below:

&lt;IfModule mod_headers.c&gt;
    # Remove X-Forwarded-Host header sent as a part of any request from the web
    RequestHeader unset X-Forwarded-Host
&lt;/IfModule&gt;

Published: May 23, 2024
Updated: Jun 27, 2024
GHSA: GHSA-25gq-jvx2-vg9x
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.1.0	3.1.13

Vulnerability Database

Silverstripe X-Forwarded-Host request hostname injection