GHSA-c8rp-cgf4-937w

Source

https://github.com/advisories/GHSA-c8rp-cgf4-937w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-c8rp-cgf4-937w/GHSA-c8rp-cgf4-937w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c8rp-cgf4-937w

Published

2022-07-29T22:26:10Z

Modified

2024-11-28T05:41:33.267197Z

Summary

mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack

Details

Impact

mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.

Patches

3.7.0, and 4.3.0 and later.

The patches present in these versions update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the trustReservedSubnet() constructor, ensuring that the request only honors the X-Forwarded-* headers for private reserved subnets.

Users can define the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.

Workarounds

Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.

References

HTTP Host Header Attacks

For more information

If you have any questions or comments about this advisory:

Open an issue in mezzio/mezzio-swoole
Email us

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [],
    "github_reviewed_at": "2022-07-29T22:26:10Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

Packagist / mezzio/mezzio-swoole

Package

Name: mezzio/mezzio-swoole
Purl: pkg:composer/mezzio/mezzio-swoole

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.7.0

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

1.*

1.0.0

1.0.1

1.0.2

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.7.0

2.8.0

2.8.1

3.*

3.0.0

3.0.1

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.3.0

3.3.1

3.4.0

3.5.0

3.5.1

3.6.0

Packagist / mezzio/mezzio-swoole

Package

Name: mezzio/mezzio-swoole
Purl: pkg:composer/mezzio/mezzio-swoole

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.0

Affected versions

4.*

4.0.0

4.1.0

4.1.1

4.2.0