Some application frameworks support various non- standard HTTP headers that can be used to override the URL in the original request, such as X-Original-URL and X-Rewrite-URL. If a web site uses rigorous front-end controls to restrict access based on URL, but the application allows the URL to be overridden via a request header, then it might be possible to bypass the access controls using a.
An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite- URL of Symfony, in order to obtain sensitive information. Full bulletin, software filtering, emails, fixes, … (Request your free trial) This vulnerability alert impacts software or systems such as Debian, Drupal Core, Fedora, Symfony.
The X-Original-URL header can be unset via the following VCL snippet: unset req.http. x-original- url And X-Rewrite-URL can be unset via the following VCL snippet: unset req.http.x-rewrite-url Alternatively, these values could be included in your cache key [6] or Vary header [7] to prevent caching of content across security domains. Please see our documentation [6] for guidance on manipulating your edge.
Notice that the server normalizes these to forward slashes using a redirect. Therefore, X-Original- URL : /setlanges triggers a 302 response that redirects to /setlang/ es. Observe that this 302 response is cacheable and, therefore, can be used to force other users to the Spanish version of the home page. You now need to combine these two exploits.
X- Original -URL X-Rewrite-URL 3. Less is More: Quantifying the Security Bene?ts of Debloating Web Applications … Unsafe object deserialization vulnerability is the target of this exploit . Attacker can control value of properties on injected objects. (Also known as Property Oriented Programming, POP), 8/17/2018 · This revealed the headers X- Original -URL and X-Rewrite-URL which override the request’s path, Kettle explained. I first noticed them affecting targets running Drupal, and digging through Drupal’s code revealed that the support for this header comes from the popular PHP framework Symfony, which in turn took the code from Zend.
A remote attack can exploit it with a specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value , which overrides the path in the request URL to potentially bypass access restrictions and cause the target system to render a different URL.
Let’s imagine for this example, that after having launched a Param Miner on the headers of a site, we find ourselves with the headers X- Original -Url or X-Rewrite-Url as unkeyed inputs. In addition to the danger they represent (CWE-436), we can provoke a request that will ask for a page but return another, which will be kept in cache. See this example :, 6/29/2016 · This could be exploited by unauthenticated attackers to include arbitrary .php files located outside the Concrete5 root directory or from the Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities) by sending an HTTP request like this: GET /concrete5/index.php HTTP/1.1 Host: localhost X- Original -Url: /tools/../../index Connection: keep-alive …
