Dear HAProxy Development Team,
I am a network security engineer, and recently I discovered a critical
vulnerability in HAProxy that allows attackers to bypass the domain
blacklist restriction under specific deployment scenarios. I am
reporting this issue to assist in enhancing the security of HAProxy, and
I would appreciate your attention and follow-up.
1. Vulnerability Principle and Hazard Description
The vulnerability arises from HAProxy's non-compliance with relevant RFC
specifications when processing HTTP requests. According to RFC standards
(RFC9112#section-3.2.2), if an HTTP request contains an absolute-uri,
the Host value should be derived from that absolute-uri. However,
HAProxy fails to implement this specification correctly in certain
configurations.
In typical deployment architectures where HAProxy forwards HTTP traffic
to a reverse proxy server by default, and the reverse proxy distributes
requests to different backend application servers based on domain names,
this vulnerability can be exploited. When HAProxy is configured to block
access to a specific domain (via blacklist), attackers can construct an
HTTP 1.0 request that omits the Host Header but includes an absolute-uri
pointing to the blacklisted domain. Due to HAProxy's non-compliance with
RFC, it does not correctly identify the target domain from the
absolute-uri, thus failing to trigger the blacklist restriction and
allowing the request to bypass the block and reach the target backend
server.
The potential hazards of this vulnerability are significant: it renders
the domain-based access control mechanism configured on HAProxy
ineffective, enabling unauthorized access to restricted resources (such
as the admin.local domain in the test configuration). This may lead to
sensitive information leakage, unauthorized operation of backend
systems, and other security incidents, posing a direct threat to the
security of business systems protected by HAProxy.
2. Vulnerability Reproduction Steps
2.1 Preparatory Environment
*
Deploy HAProxy with the following configuration (core configuration
for blacklisting the admin.local domain).
*
Deploy a reverse proxy server (e.g., Nginx) on the backend
127.0.0.1:9999, which distributes requests to corresponding
application servers based on the Host header or absolute-uri.
*
Ensure the admin.local domain corresponds to a restricted backend
application (e.g., an administrative background system).
2.2 HAProxy Core Configuration
|
frontend http_front bind *:5000 mode http acl host_deny hdr(host) -i
admin.local use_backend forbidden_backend if host_deny default_backend
backend_server backend backend_server mode http server s1 127.0.0.1:9999
check backend forbidden_backend mode http http-request deny deny_status 403|
2.3 Reproduction Steps
*1.Verify Normal Blocking Effect*: Send a standard HTTP request
with the Host header set to admin.local to HAProxy's listening
port (5000). The request is as follows:
================= request begin =================
GET / HTTP/1.1 Host: admin.local Connection: close =================
request end ===================
Expected result: HAProxy triggers the host_deny ACL, forwards the
request to forbidden_backend, and returns a 403 Forbidden response
(blocking succeeds).
*2.Construct Bypass Request*: Send an HTTP 1.0 request that omits the
Host header and includes an absolute-uri pointing to admin.local. The
request is as follows: ================= request begin =================
GET http://admin.local/ HTTP/1.0 Connection: close =================
request end =================== Actual result: HAProxy does not identify
the admin.local domain from the absolute-uri, fails to trigger the
blacklist ACL, forwards the request to backend_server (127.0.0.1:9999).
The backend reverse proxy parses the target domain from the absolute-uri
and forwards the request to the admin.local corresponding backend
application, returning a 200 OK response (bypass succeeds).
3. Vulnerability Mitigation Recommendations
Modify the HTTP request processing logic of HAProxy to strictly comply
with RFC specifications: when an HTTP request contains an absolute-uri,
extract the Host information from the absolute-uri and use it for ACL
matching (consistent with the processing logic of the Host header). This
ensures that even if the Host header is omitted, the target domain in
the absolute-uri can be correctly identified, and the blacklist
restriction can be effectively triggered.
Thank you for your efforts in maintaining the security and stability of
HAProxy.
Best regards,
Kenny Cheng
Network Security Engineer
