Hacker News new | past | comments | ask | show | jobs | submit login
WordPress 4.8.1 still vulnerable to Host Header Attack (learnwebdevelopment.review)
67 points by learntopdown on Sept 15, 2017 | hide | past | favorite | 11 comments



I get where WordPress is coming from by not fixing this issue since it's an Apache thing. But since Apache's default value causes this to happen I think the framework should try to protect its users. The normal user that had their WordPress installed using an application installer on a shared host isn't going to know about this issue.


As mentioned in a previous discussion by calibas, PHP.net has this disclaimer:

"Note: Under Apache 2, you must set UseCanonicalName = On and ServerName. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts."

So it seems to be clearly a Word Press issue.


With Nginx I've always used this for the first server block to defeat host header attacks, taken from the h5bp boilerplate server configs[0]:

  server {
    listen 80 default_server;
    return 444;
  }
Is something like this necessary for Apache as well? If yes, what are others using? (ignoring the non-standard but effective 444 return code)

[0]https://github.com/h5bp/server-configs-nginx


Fortunately, shared hosts aren't likely to be vulnerable to this attack: in that case, the Host header will be used to identify which shared site to run, so if an attacker changes it they'll get a different site. This vulnerability is only a problem if WordPress is installed as the default site (or has a dedicated IP address), in which case unknown values of the Host header will be passed directly to it.


A given server can effectively have any hostname because of Host:, and that might even be desirable, so Apache's behaviour doesn't seem reasonable.


AKA CVE-2017-8295. Original report on HN 4 months ago, 70 comments: https://news.ycombinator.com/item?id=14263252


Django has an ALLOWED_HOSTS setting, which must be provided even in debug and test configurations. I'm surprised Wordpress doesn't have a similar setting; accepting any arbitrary Host can only cause trouble (at least for those uninformed sites which don't already prevent it at the web server level).


A less inflamed take on the topic I found illuminating: https://pagely.com/blog/2017/05/exploitbox-unauthorized-pass...


More informative, but a nightmare to read. Thin gray font on a white background?


This is why Symfony HttpFoundation has the notion of trusted hosts which is configurable.


It is open source so anyone could submit a PR for it though they might get more help if the drop svn and go with Github.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: