Description
In many cases, developers trust the HTTP Host header value to generate links, import scripts and even generate password reset links. This implementation can be abused because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails.
Details
A flaw was found in the redirection to external auth mechanisms in ManageIQ where an attacker could take advantage of the Host HTTP Header in conjunction with a man-in-the-middle attack to trick users into providing their passwords to a malicious server owned by said attackers.
The attack is only exploitable when a user's Host header can already be manipulated, and an avenue for this is while the user is also currently being affected by a man-in-the-middle attack, though not limited to that.
The remediation steps to prevent this is to enforce specific Host headers on the httpd level, and we have added instructions into our included httpd configs on the appliance. This, however, does require user intervention to prevent as we don't a known user's custom hostname/ip at appliance build time. These Host headers are also enabled by default in container installations where the applicationDomain is required.
Fixed in ivanchuk-7 - appliance, ivanchuk-7 - templates, jansa-1-rc2 - appliance, jansa-1-rc2 - operator, jansa-1-rc2 - templates, master - appliance, master - operator, master - templates
Description
In many cases, developers trust the HTTP Host header value to generate links, import scripts and even generate password reset links. This implementation can be abused because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails.
Details
A flaw was found in the redirection to external auth mechanisms in ManageIQ where an attacker could take advantage of the Host HTTP Header in conjunction with a man-in-the-middle attack to trick users into providing their passwords to a malicious server owned by said attackers.
The attack is only exploitable when a user's Host header can already be manipulated, and an avenue for this is while the user is also currently being affected by a man-in-the-middle attack, though not limited to that.
The remediation steps to prevent this is to enforce specific Host headers on the httpd level, and we have added instructions into our included httpd configs on the appliance. This, however, does require user intervention to prevent as we don't a known user's custom hostname/ip at appliance build time. These Host headers are also enabled by default in container installations where the applicationDomain is required.
Fixed in ivanchuk-7 - appliance, ivanchuk-7 - templates, jansa-1-rc2 - appliance, jansa-1-rc2 - operator, jansa-1-rc2 - templates, master - appliance, master - operator, master - templates