Evelyn Liang created HDFS-16741:
-----------------------------------
Summary: Validate host header value to prevent host header
injection
Key: HDFS-16741
URL: https://issues.apache.org/jira/browse/HDFS-16741
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 3.3.4, 3.3.3
Reporter: Evelyn Liang
Attachments: host header injection issue.png
Description
In many cases, developers trust the HTTP Host header value to generate links,
import scripts and even generate password reset links. This implementation can
be abused because the HTTP Host header can be controlled by an attacker. This
can be exploited using web-cache poisoning and by abusing alternative channels
like password reset emails.
*Affected API:*
http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=OPEN
other APIs that allow redirect is also affected by this issue.
Risk Assessment
It is possible for a remote attacker to inject custom value into host header
and can force application to redirect legitimate users to a web page or domain
that he/she controls. The user may be presented with a look alike phishing page
of the application using which the attacker can upload or can execute malicious
content in user's client.
Fix Recommendation
The web application should validate whether the host header value is same as
that of the domain serving the request. It should also create a dummy vhost
that catches all requests with unrecognized Host headers.
Steps to reproduce:
# Capture the API request using an interceptor and replace the value of host
header with the attackers web server.
# Now forward the edited request and it is observed that API is getting
redirected to attacker supplied URL in host header.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
