Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

[Bhavesh Mistry]

Hi Mark,

Thanks for your help. We will go with validation against a known trusted
list host as you suggested.  Also, I have updated
https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 with reference to the
discussion.

As always, thanks for your wonderful support!

Thanks,

Bhavesh

On Tue, Aug 29, 2023 at 2:07 PM Mark Thomas  wrote:

> On 29/08/2023 21:51, Bhavesh Mistry wrote:
> > Hi Mark,
> >
> >> curl - -k "https://www.mydomain.com/login; -H  'Host:
> >> attackerHostHeaderInjection.com'
> >
> > *Why? What problem are you trying to solve?*
> >
> > Host Header injection is a vulnerability that needs to be addressed., I
> am
> > trying to solve if the host is a mismatch between the HOST ( or
> Authority)
> > header because links are generated based on the host headers.
> >
> > For now only way to prevent it is to have a set of allowed hosts and
> check
> > against this list.
>
> I'd argue that links shouldn't be being generated based on the Host
> header. You should be able to use relative links. That said...
>
> Given the wide variety of deployment architectures (CDN, reverse procy
> etc) if you do need to use the Host header, validation against a known
> trusted list is probably the most robust option. TLS information may not
> always be available.
>
> > Should I update the bug to provide SNI information for the request or
> > should I file another request ?
> > See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
>
> I'd say add it to that issue as the two are closely related.
>
> > 3) I tried following but again curl - shows it never sent
> > www.mydomain.com  since it only used to
> > reach the IP. (This is what Thomas Hoffmann mentioned).
> >
> https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack
> >
> > Thanks for your help so far.
>
> There is another option.
>
> The Host header is used for virtual host selection. If you create a
> valid virtual host for each valid host name (you can have aliases so
> they could all go to the same host) then the default virtual host could
> just have a ROOT webapp that returned you 4xx response of choice.
>
> It is just a different way of implementing an allow list for the Host
> header. The advantage is that it is transparent to the application(s).
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Did something JSP related change between 9.0.71 and 9.0.73

[Tim N]

Fixed by upgrading New Relic to 8.5.0!

Other environments had this upgraded, but not the failing one.

On Fri, Sep 1, 2023 at 5:26 PM Torsten Krah  wrote:

> Am Freitag, dem 01.09.2023 um 15:18 +1000 schrieb Tim N:
> > We're seeing this too, but not in all our environments. We also use
> > NewRelic.
>
> Does it happen without NewRelic too? If not, better ask NewRelic about
> that problem.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Did something JSP related change between 9.0.71 and 9.0.73

[Torsten Krah]

Am Freitag, dem 01.09.2023 um 15:18 +1000 schrieb Tim N:
> We're seeing this too, but not in all our environments. We also use
> NewRelic.

Does it happen without NewRelic too? If not, better ask NewRelic about
that problem.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org