Slabiak Appointment Scheduler Host Header Poisoning Open Redirect Vulnerability

A host header poisoning vulnerability leading to open redirect has been identified in Slabiak Appointment Scheduler version 1.0.5. This vulnerability allows remote attackers to manipulate the host header of an HTTP request, redirecting users to malicious websites. Such actions could result in credential theft, malware distribution, or other harmful activities.

Impact

Exploitation of this vulnerability could lead to unauthorized redirection of users to malicious sites, with potential consequences including theft of credentials, distribution of malware, or other malicious actions.

Reproduction

The vulnerability can be reproduced by changing the Host header in an HTTP request to an arbitrary value, such as example.com. The application currently does not validate the Host header, allowing for successful redirection to the specified site.

Remediation

To address this vulnerability, it is recommended to validate the Host header against a whitelist of allowed values and to avoid using the Host header for constructing URLs in security-sensitive contexts.