[
https://issues.apache.org/jira/browse/RANGER-4211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Duran updated RANGER-4211:
-------------------------------
Attachment: Screen Shot 2023-04-12 at 9.59.41 AM.png
> CWE-472 present in Host Header
> ------------------------------
>
> Key: RANGER-4211
> URL: https://issues.apache.org/jira/browse/RANGER-4211
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Matt Duran
> Priority: Major
> Attachments: Screen Shot 2023-04-12 at 9.59.41 AM.png
>
>
> When making an HTTP request to the Ranger Admin, it is possible to manipulate
> the "Host" header section and have the results appear in the "Location"
> header response, creating the possibility of sending a user to a page
> controlled by someone else.
> CWE-472 recommends verifying inputs that are assumed to be immutable but are
> actually externally controllable in order to prevent this or at the very
> least combat it.
> [https://cwe.mitre.org/data/definitions/472.html]
> Is it possible to include a check in the host header to verify that the
> location matches the expected host name? Attached is an example of this, as
> you can see I've changed the Host section to "google.com" which can be viewed
> in the response.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
