Matt Duran created RANGER-4211:
----------------------------------
Summary: CWE-472 present in Host Header
Key: RANGER-4211
URL: https://issues.apache.org/jira/browse/RANGER-4211
Project: Ranger
Issue Type: Improvement
Components: Ranger
Reporter: Matt Duran
When making an HTTP request to the Ranger Admin, it is possible to manipulate
the "Host" header section and have the results appear in the "Location" header
response, creating the possibility of sending a user to a page controlled by
someone else.
CWE-472 recommends verifying inputs that are assumed to be immutable but are
actually externally controllable in order to prevent this or at the very least
combat it.
[https://cwe.mitre.org/data/definitions/472.html]
Is it possible to include a check in the host header to verify that the
location matches the expected host name? Attached is an example of this, as you
can see I've changed the Host section to "google.com" which can be viewed in
the response.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
