Twisted vulnerable to NameVirtualHost Host header injection

2022-10-2622:08:39

Google

osv.dev

twisted

namevirtualhost

host header injection

html injection

script injection

noresource

configuration

site

reactor

curl

vulnerability

f49041bb67792506d85aeda9cf6157e92f8048f4

0.9.4

software

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

52.1%

JSON

When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

Example configuration:

from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor

resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()

Output:

❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/

&lt;html&gt;
  &lt;head&gt;&lt;title&gt;404 - No Such Resource&lt;/title&gt;&lt;/head&gt;
  &lt;body&gt;
    <h1>No Such Resource</h1>
    <p>host b'<h1>hello there</h1>' not in vhost map</p>
  &lt;/body&gt;
&lt;/html&gt;