[security] Spoofing Hostname leads to Write-Access on any system #48

cHolzberger · 2019-09-29T13:53:24Z

git-webui/src/libexec/git-core/git-webui

Line 145 in dee7c19

host = self.headers.get("Host", "").split(":")[0]

You can spoof the localhost hostname from any system able to connect to gitweb and by this code anyone able to access webui by the hostname "localhost" have writeaccess.

Curl Example:
curl 'http://192.168.X.X:8000/viewonly' -H "Host: localhost" -> 0

Also accessing localhost by another Hostname results in no write access
curl 'http://localhost:8000/viewonly' -H "Host: exthost" -> 1

The text was updated successfully, but these errors were encountered:

…r the ip of the client. sort-of fixes: alberthier#48

cHolzberger changed the title ~~Spoofing Hostname leads to Write-Access on any system~~ [security] Spoofing Hostname leads to Write-Access on any system Sep 29, 2019

cHolzberger added a commit to cHolzberger/git-webui that referenced this issue Sep 29, 2019

bugfix: do not check for how the server is called in a request but fo…

9d39127

…r the ip of the client. sort-of fixes: alberthier#48

cHolzberger linked a pull request Sep 29, 2019 that will close this issue

bugfix: check for client-ip instead of server-hostname sort-of fixes: #48 #49

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] Spoofing Hostname leads to Write-Access on any system #48

[security] Spoofing Hostname leads to Write-Access on any system #48

cHolzberger commented Sep 29, 2019

[security] Spoofing Hostname leads to Write-Access on any system #48

[security] Spoofing Hostname leads to Write-Access on any system #48

Comments

cHolzberger commented Sep 29, 2019