Fake URL injection in homepage - nop 3.00 site.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
8 years ago
maras54 wrote:
Is it possible that they change the header for the "HTTP_HOST" while visiting or posting to our site, because that is what GetStoreHost(bool useSsl)
method uses in the WebHelper.cs to get the storeLocation.

So if that is possible, while the store cache is empty and those crawler visits our site, the storelocation being set by their host.
And it rarely happens so that kinda makes sense to me.

Is it possible? any idea?


Yes it's possible, it's an example of cache poisoning as described in this article: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html.  It's pretty easy to replicate:

1. Make sure the binding for the nop site in IIS has no hostname specified:



2. Use a browser extension like ModHeader for Chrome that allows you to modify the header values that are sent with the http request

3. Configure ModHeader to send a different string on the host variable

4. Browse to the nop website homepage (make sure it's the first request to the site so that the cache is empty). Whatever string you set in the host variable will be used in place of the actual hostname so you'll see lots of broken image links where it's used the modified host header to construct the absolute url for the image src (why do the image srcs need to use absolute urls anyway?)

5. Switch off the ModHeader profile and and refresh the page. The image links will still be broken since they've been cached using the absolute url generated with the fake host name.  Clearing the cache or restarting the site will fix it.

This very simple example is easy to mitigate against, just make sure that the site bindings in IIS are setup with explicit host names so that IIS doesn't send the request to nop in the first place.

It would be interesting to know from anyone that's been affected by this how they have their IIS bindings setup.
Regards, Pete.
2
8 years ago
Thank you pete your response was so helpful.
my nop site in IIS does not have hostname specified.

I want to make sure that I understand it right.
Changing the IIS binding to have hostname "mystore.com" would fix it, right?

Also I think best solution would be nopteam to change the method to get the store location?
1
8 years ago
maras54 wrote:
Thank you pete your response was so helpful.
my nop site in IIS does not have hostname specified.

No problem. To be honest you should take the credit as it was your suggestion that made me investigate it and confirm your suspicion.

maras54 wrote:
I want to make sure that I understand it right.
Changing the IIS binding to have hostname "mystore.com" would fix it, right?

Yes, changing the IIS binding to include an explicit host name will be sufficient to protect you against this simple form of cache poisoning. In most cases I don't even think this is an attack as such, it's just a badly configured search engine accidentally poisoning the cache while spidering the site.  However, as the article linked above points out, there are more advanced forms of this attack (such as including multiple host values) which can cause unexpected results on some web servers. I don't know if there are any known exploits for IIS/.NET that use this particular attack vector. Note: you might want to include bindings for www.mystore.com and mystore.com since they're not considered to be the same by IIS.

maras54 wrote:
Also I think best solution would be nopteam to change the method to get the store location?

Yeah, that's possible. It basically comes back to the idea that any user submitted content shouldn't be trusted by a web application. While we usually think of this in simple terms (such as people trying to submit dodgy SQL commands in search inputs) the truth is that the entire request to the server can be handcrafted by a malicious user to exploit vulnerabilities in the application; so the entire request, including any server variables derived from it, should be treated as suspect.

The conclusion to the article linked above mentions that whitelisting the trusted host values is one way to protect against this.  Since nop already allows us to specify multiple host names per store I think the GetStoreLocation(bool useSsl) could be modified to only accept requests from known hosts (and localhost for development purposes).
Regards, Pete.
1
8 years ago
I'm also facing same issue in my website. which is in nop 3.60. Src of home page featured products section and slider section images have been changed many time with other websites url. After cache clear it will start working fine.I'm new in nop family. So  I'm not able to solve this issue. Kindly share solution if any one found.

Kindly let me know if any information required from my side.

Thanks in advance
Thanks,

Vipan K Sharma
1
7 years ago
Hello,
same problem in 3.80, URL changed to 7xbxb.com.
Witch Clear cache it works again correctly. I think that it's a problem of injection in cache.
This is a severe bug.

Regards.
0
7 years ago
I think that it's a crawler. I found this domain in others machines (with Apache and Linux) and I see that it do requests with his domain, in header, hostname field.
0
3 years ago
version 4.30 - this has happened to one of my websites that's currently under development. I cannot set a specific hostname as we don't have one yet, so it's loading on IP. Any advice please.
0
3 years ago
You should just be able to create an IIS binding for the site using IP address as the hostname.
Regards, Pete.
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.