Fabio HTTP Router Header Manipulation Vulnerability

A vulnerability in Fabio, an HTTP(S) and TCP router for applications managed by Consul, allows clients to remove or manipulate certain X-Forwarded headers (excluding X-Forwarded-For). This issue arises from Fabio's handling of hop-by-hop headers, which can be exploited by specifying these headers in the HTTP Connection header. As a result, critical headers like X-Forwarded-Host and X-Forwarded-Port can be stripped from requests to backend applications, potentially leading to security vulnerabilities. This flaw is present in Fabio versions through 1.6.5 and has been patched in version 1.6.6.

Impact

Exploitation of this vulnerability could allow for the unauthorized removal or alteration of trusted HTTP headers, such as X-Forwarded-Host and X-Forwarded-Port, which are used by backend applications to determine the original request details. If an application relies on these headers for security decisions, such as access control, their manipulation could bypass these controls, leading to unauthorized access or actions. Additionally, stripping headers like X-Real-IP could mislead an upstream server about the true source of a request, creating further potential for exploitation.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a Fabio router with the Connection header modified to include hop-by-hop headers that Fabio manages, such as X-Forwarded-Host or X-Forwarded-Port. This can be done using a tool like curl, by specifying the desired headers in the request. Once the request is sent, the response can be checked to confirm that the X-Forwarded header has been removed, demonstrating the vulnerability.

Remediation

Users can update to Fabio version 1.6.6 or later, where this vulnerability has been addressed.