On 2022-04-07 6:18 PM, matthew sporleder wrote:
Yes I agree the point of the "vulnerability" is that an http 1.0 request (does
not require a Host header) will cause the origin to guess what it should put in the
Location header. In some cases that guess is the ip of the server. In an http 1.1 or
higher request the host header is used.
I don't know what it has to do with IIS or Basic auth but that cve is very
very old.
I can't think of a way to return a redirect without violating this condition
because iirc the http spec says Location headers need to be fully qualified
with protocol and host! That might not have applied in the http 1.0 days
though. (Although in practice many servers return just /paths)
I think you can redirect to either absolute or relative URL, the problem
is that relative URLs are really just paths within DocumentRoot -- no
port number. I.e. you can't use them to redirect from :80 to :8983.
I'm not sure what that CVE is really about either, there's just not
enough detail there to make any sense. Authentication's kinda b0rk3d in
IIS anyway; AFAIK auth returns a 401, not a redirect. Whereas a redirect
to IP is perfectly fine when, as you say, server can't figure out what
name to put in there. The "iformation disclosure" problem sounds like it
came out of the knee-jerk security research team since if the host is
reachable, then its IP address is known...
Dima
