Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard
verified publisher icon RocketChat

Host Header Injection

Open irfanasyraf opened this issue 1 year ago • 4 comments

Description:

Make a request directly to the following host via HTTP (Port 80) with an arbitrary domain in the "Host" header.

e.g. curl -v -k "Host: test123.com" https://"rocketchat domain"

Observe the redirect to the inserted domain.

Expected behavior:

The redirect should not happen based on the "Host" header value and it should be rejected.

The web application profile is specifically bound to the correct host name to ensure that arbitrary host names sent to the web server will not reach the application. When validating the host headers, a whitelist approach where only allowed domains are declared should be preferred over a blacklist.

Actual behavior:

It was observed that the user is redirected based on the "Host" header value

Server Setup Information:

  • Version of Rocket.Chat Server: v6.9.2
  • Operating System: Linux
  • Deployment Method: docker (taken from OpenSource Rocketchat Docker)
  • Number of Running Instances: 1 server 1 Database
  • MongoDB Version: 6.0.15

irfanasyraf avatar Jun 28 '24 04:06 irfanasyraf

Thanks for your observation.

I will ask for someone to review this.

reetp avatar Jun 28 '24 10:06 reetp

Can you clarify what you mean?

Redirect here should/is handled by webserver in front, not Rocket.Chat itself.

debdutdeb avatar Jun 28 '24 13:06 debdutdeb

Hi team,

My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.

I was just wondering if there is any such feature where I can just 'whitelist' my rocketchat domain from rocketchat settings itself when a host header injection is being done.

Thank you and appreciate the help!

irfanasyraf avatar Jun 28 '24 15:06 irfanasyraf

For reference this was your post on forums:

https://forums.rocket.chat/t/edit-content-security-policy/20212

From this post I note that your server is air gapped as well?

https://forums.rocket.chat/t/disable-concurrent-login/20208

This sort of information is really important.

My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.

I'm wondering if this is more to do with your own setup than it is to do with Rocket.

reetp avatar Jun 29 '24 11:06 reetp

Hi team,

I have actually set the Host Header configuration on the WAF fronted by the ALB.

So this case is resolved.

Appreciate the help.

Thank you!

irfanasyraf avatar Jul 04 '24 04:07 irfanasyraf

based on above comment case resolved

casalsgh avatar Jul 05 '24 17:07 casalsgh