-
solasoli
Newbie
-
Posts: 4
Threads: 1
Joined: Apr 2017
Reputation:
0
04-20-2017, 01:27 AM
Hi guys, i got this issue from IT-Sec, i have read and search thouroghly but i still can't find any actual solution to fix this issue.
Here it is.
Quote:Quote:"HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels. Pentester try to request with modify header host. and the response result showing with the modify host header. affected files:
Quote:
- app/formulir
- app/kompensasi
- app/panduan-agen
- app/produk-dan-layanan
- app/tentang
- app/tentang-
- app/training
The impact of this vulnerability An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways."
Recommended solution thus far is :
Quote:The web application should use the SERVER_NAME instead of the Host header
This app are running on xampp with reverse proxy setting for testing. I already do 3 changes to config.php, but the issue is still there. Here is the code.
1.
PHP Code: if(isset($_SERVER[SERVER_NAME])) {
$config['base_url'] = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ? 'https' : 'http';
$config['base_url'] = '://'. $_SERVER['SERVER_NAME'];
$config['base_url'] = str_replace(basename($_SERVER['SCRIPT_NAME']), '', $_SERVER['SCRIPT_NAME']);
}
else{
$config['base_url'] = '';
}
2.
Quote:Code: $config['base_url'] = 'http://$_SERVER[SERVER_NAME]';
PHP Code: $config['base_url'] = 'https://jktdc.*********.com/app'
PS : the response header is on the attachment.[/b]
-
Martin7483
Crossfire CMS
-
Posts: 373
Threads: 14
Joined: Sep 2015
Reputation:
20
We use this in the index.php
PHP Code: $default_domain = 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');
if ( ! function_exists('is_https_on'))
{
/**
* Is HTTPS?
*
* Determines if the application is accessed via an encrypted
* (HTTPS) connection.
*
* @return bool
*/
function is_https_on()
{
if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
{
return TRUE;
}
elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
{
return TRUE;
}
elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
{
return TRUE;
}
return FALSE;
}
}
$protocol = 'http://';
if ( is_https_on() && USE_HTTPS ) {
$protocol = 'https://';
}
// define protocol
define('PROTOCOL', $protocol);
The check if the HTTP_HOST is within the allowed domains
PHP Code: if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
$_SERVER['HTTP_HOST'] = $default_domain;
}
The set a constant
PHP Code: define('BASE_URL', PROTOCOL.$_SERVER['HTTP_HOST']);
And in the config
PHP Code: $config['base_url'] = BASE_URL;
Spoofing the HTTP_HOST header will have no effect this way
-
solasoli
Newbie
-
Posts: 4
Threads: 1
Joined: Apr 2017
Reputation:
0
(04-20-2017, 03:01 AM)Martin7483 Wrote: We use this in the index.php
PHP Code: $default_domain = 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');
if ( ! function_exists('is_https_on'))
{
/**
* Is HTTPS?
*
* Determines if the application is accessed via an encrypted
* (HTTPS) connection.
*
* @return bool
*/
function is_https_on()
{
if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
{
return TRUE;
}
elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
{
return TRUE;
}
elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
{
return TRUE;
}
return FALSE;
}
}
$protocol = 'http://';
if ( is_https_on() && USE_HTTPS ) {
$protocol = 'https://';
}
// define protocol
define('PROTOCOL', $protocol);
The check if the HTTP_HOST is within the allowed domains
PHP Code: if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
$_SERVER['HTTP_HOST'] = $default_domain;
}
The set a constant
PHP Code: define('BASE_URL', PROTOCOL.$_SERVER['HTTP_HOST']);
And in the config
PHP Code: $config['base_url'] = BASE_URL;
Spoofing the HTTP_HOST header will have no effect this way
Ok, Thanks a lot, will try this, andd report it back. 
-
solasoli
Newbie
-
Posts: 4
Threads: 1
Joined: Apr 2017
Reputation:
0
(04-20-2017, 03:01 AM)Martin7483 Wrote: We use this in the index.php
PHP Code: $default_domain = 'www.yourwebsite.com';
$allowed_domains = array('yourwebsite.com','www.yourwebsite.com');
if ( ! function_exists('is_https_on'))
{
/**
* Is HTTPS?
*
* Determines if the application is accessed via an encrypted
* (HTTPS) connection.
*
* @return bool
*/
function is_https_on()
{
if ( ! empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off')
{
return TRUE;
}
elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
{
return TRUE;
}
elseif ( ! empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')
{
return TRUE;
}
return FALSE;
}
}
$protocol = 'http://';
if ( is_https_on() && USE_HTTPS ) {
$protocol = 'https://';
}
// define protocol
define('PROTOCOL', $protocol);
The check if the HTTP_HOST is within the allowed domains
PHP Code: if( ! in_array($_SERVER['HTTP_HOST'], $allowed_domains) ) {
$_SERVER['HTTP_HOST'] = $default_domain;
}
The set a constant
PHP Code: define('BASE_URL', PROTOCOL.$_SERVER['HTTP_HOST']);
And in the config
PHP Code: $config['base_url'] = BASE_URL;
Spoofing the HTTP_HOST header will have no effect this way
I'm sorry, the issue is solved, but the website is not diplayed, it keeps loading. But nothing happen, thanks anyway.
|
The thing is, your solution is working on curl, but not displayed in browser. 
