LinuxServer Heimdall Host Header Injection and Open Redirect Vulnerability

A vulnerability has been identified in LinuxServer Heimdall version 2.6.3-ls307, specifically within the Docker image 'linuxserver/heimdall:latest'. This vulnerability arises from improper handling of user-supplied HTTP headers, particularly 'X-Forwarded-Host' and 'Referer'. An unauthenticated remote attacker can exploit this to perform Host Header Injection and Open Redirect attacks. The exploitation allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially leading to phishing, UI redress, and session theft.

Impact

Exploitation of this vulnerability allows for Host Header Injection, which can be used to load resources from malicious domains and redirect users to attacker-controlled sites. Such actions could be combined with other attacks, like phishing or stealing session cookies.

Reproduction

The vulnerability can be reproduced by sending a GET request to the Heimdall application with a manipulated 'X-Forwarded-Host' header. This injection is reflected in the response, allowing the application to load resources from the specified malicious domain. Additionally, the Open Redirect can be reproduced by sending a POST request to the '/users/2' endpoint with a crafted 'Referer' header, which the application then reflects in a 'Location' header response, redirecting to the injected URL.

Remediation

Users are advised to update to Heimdall version 2.7.3 or later, where this vulnerability has been addressed.