Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jOHJwLWNnZjQtOTM3d84AAtvL

mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack

Impact

mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.

Patches

3.7.0, and 4.3.0 and later.

The patches present in these versions update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the trustReservedSubnet() constructor, ensuring that the request only honors the X-Forwarded-* headers for private reserved subnets.

Users can define the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.

Workarounds

Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.

References

HTTP Host Header Attacks

For more information

If you have any questions or comments about this advisory:

Open an issue in mezzio/mezzio-swoole
Email us

Permalink: https://github.com/advisories/GHSA-c8rp-cgf4-937w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jOHJwLWNnZjQtOTM3d84AAtvL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago

Identifiers: GHSA-c8rp-cgf4-937w
References:

Repository: https://github.com/mezzio/mezzio-swoole
Blast Radius: 0.0

Affected Packages

packagist:mezzio/mezzio-swoole

Dependent packages: 7
Dependent repositories: 8
Downloads: 179,788 total
Affected Version Ranges: >= 4.0.0, < 4.3.0, < 3.7.0
Fixed in: 4.3.0, 3.7.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 4.0.0, 4.1.0, 4.1.1, 4.2.0
All unaffected versions: 3.7.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0